Taking over the Netgear WNR3500
- The WNR3500 can be trivially taken over by any adversary on the LAN or WLAN.
- The WNR3500 can be taken over by a remote adversary through CSRF attack.
The Netgear WNR3500 router is susceptible to a previously disclosed vulnerability in its Telnet service that runs by default on port 23.
ISE discovered that a remote adversary can leverage a CSRF against a WNR3500 administrator to gain control of the router. The WNR3500 uses HTML form tokens to protect against CSRF attacks. However, the form tokens are based solely on router's current date and time. Since the router automatically synchronizes its date and time with Netgear NTP servers, it is trivial for an adversary to guess the CSRF tokens generated on these routers. ISE created a proof of concept that when executed by an unsuspecting device administrator, attempts to use every HTML form token that could have been created in the previous 20 minutes to enable remote management and remote Telnet access to the router.
Local Attack Requirements
- An attacker must have access to a machine on the local network, either by physically connecting, or by compromising a machine on the local network through other means (e.g., via malware).
Remote Attack Requirements
- The victim must have an active management session with the WNR3500.
- The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.
- The router must have, or have had NTP access to its predefined servers (though, even without this, guessing is still possible).
The Netgear WNR3500's anti-CSRF token generation is based on the C library calls
rand(). The WNR3500 automatically synchronizes its time using NTP after it establishes an Internet connection. By synchronizing with Netgear's NTP servers, an attacker can obtain the same date and time as on the router.
ISE's proof of concept attempts to use the 1200 possible anti-CSRF tokens that would have been generated in the last 20 minutes to enable remote management and -- because the router's password may differ from the default -- open the router's Telnet interface to the Internet.
The telnet interface has no authentication other than using a "telnetenable" program that is widely available on the Internet. An attacker must brute-force the device's MAC address to craft the correct "telnetenable" packet, but only three of six bytes of the address are unknown.
- Vulnerable Firmware is V126.96.36.199_35.0.53NA
- Other versions of the firmware were not tested.
A successful attack exploiting this vulnerability can give a remote adversary full control over the victim router.
Recommendations to the vendor
- The implementation of anti-CSRF tokens in the WNR3500 is insecure, because an attacker can reasonably guess and reproduce the token generation process. Cross-Site request forgery can be prevented by including an unpredictable token in each HTTP request submitted to the web server. At a minimum, these tokens should be unique to each user, but it is recommended that each HTML form delivered contain a unique token.
- In addition to HTML form tokens, HTTP referer checking should be enabled.
- Additional information for vendors regarding immediate and long term fixes for these issues can be found on our summary page here.
Recommendations to device administrators
- (4/13/2013) There is not currently an available firmware upgrade that will remedy this vulnerability.
- Take additional preventative measures and precautions by following the steps outlined on our summary page here.
Proof of Concept
This attack was complicated by the fact that CSRF tokens are used, an administrator password is required to change or reset the administrator credentials, and that the router rejects the addition of port forwarding rules to itself. All of these hurdles were overcome in our proof of concept attack.
Beating CSRF tokens. The WNR3500 uses anti-forgery tokens that are based on the current time. This was discovered by debugging the router-side code that generates these tokens. Since they are based on the current time, they can be easily guessed by attempting all tokens that could have been generated in the previous 20 minutes.
Bypassing the credential requirements. Enabling and accessing the WNR3500's web interface is useless without administrator crendentials, and these can not be obtained or reset through the same CSRF attack. However, as there is a local authentication bypass vulnerability described here, we were able to leverage this issue to gain access instead. Our CSRF attack just had to enable some port forwarding rules to grant us remote access to the Telnet administration interface.
For launching our proof of concept, we assume that a Netgear WNR3500 device administrator with an active management session established with the router has browsed to a malicious web page. Once there, sequential form submissions take place, automatically, to the administrator's router, from the administrator's browser. Since the administrator has a current session established with the Netgear router, the form submissions are processed.
The malicious CGI program (Figure 1) provides an initial attack page, and three additional pages for each of the needed requests (enable remote management, enable Telnet port forwarding, and change the router's IP address to match the destination of the port forwarding).
Once the router resets, the Telnet service is open to the Internet, and an attacker could use the Netgear "telnetenable" tool to access Telnet. This tool requires knowledge of the router's MAC address, which contains six bytes, three of which are unique. It is unlikely that these three bytes are randomly chosen (making for a reasonably easy guessing scenario), but even if they were, an attacker could brute force guess the three bytes in 46 hours at 100 telnetenable requests per second.
After obtaining root shell access through Telnet, an attacker has full control of the router.
- Discovered By: Jacob Thompson – Security Analyst @ Independent Security Evaluators
- Exploited By: Jacob Thompson – Security Analyst @ Independent Security Evaluators
- For more information on this particular Belkin hack, you can contact us at firstname.lastname@example.org
- Alternatively, for more general information on ISE, you can reach us using email@example.com