Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Authentication Bypass in Netgear Router JNR1010 Version 1.0.0.24 #14

Open
cybersecurityworks opened this issue Jan 11, 2016 · 1 comment

Comments

@cybersecurityworks
Copy link
Owner

cybersecurityworks commented Jan 11, 2016

Details

Product Vendor: Netgear
Bug Name: Authentication Bypass in Netgear Router JNR1010 Version 1.0.0.24
Software: Netgear Router JNR1010 Firmware
Version: 1.0.0.24
Last Updated: 10-06-2015
Homepage: http://netgear.com/
Severity High
Status: Fixed
POC Video URL: https://www.youtube.com/watch?v=tET-t-3h7TU

Description

This flaw may allow a successful attacker to do anything gaining the privilege of the router being in LAN/WAN.

Proof of concept: (POC)

Broken Authentication & Session Management:
Authentication Bypass:
Try Accessing the URL which the normal user have no longer access without credentials with auth token value as “ok” and HTTP Basic Authentication header with password value.

Improper Session Management:
Create a fake Session ID and submit the request to the server with the credentials. Whereas, you can see that the session id has no change even after getting logged in and during logout process.

image

Figure 1: Session id created by an attacker before login

image

Figure 2: Attacker Session id is not changed even after login

image

Figure 3: Session id remains the same even after logging out from the current session.

image

Figure 4: Back button history of the accessed router after logging out

image

Figure 5: auth token is set to “ok” once after logging into the router. But, we couldn’t access any pages just by pressing back button after logging out

image

Figure 6:Changing the auth token value from “ok” to “nok” and removing extra session tokens will give access to the unauthorized page with the same session id created by an attacker.

image

Figure 7:Authentication logic is bypassed and an attacker can access any pages inside login without credentials


Timeline

28/10/2015 – Discovered in Netgear Router Firmware Version 1.0.0.24
28/10//2015 - Reported to vendor through support option but, no response
30/10//2015 - Reported to vendor through another support option available here. But, again no response.
03/11/2015 - Finally, Technical Team started addressing about the issue after so many followups through phone/mail.
13/12/2015 - Vulnerability got fixed & case was closed.
30/12/2015 - Netgear Released updated Netgear Router JNR1010 version 1.0.0.32


Discovered by:
Sathish from Cyber Security Works Pvt Ltd

@boerobbie
Copy link

But that's not all. Connexion Livestock also offers a unique and innovative service – livestock auction services in Montana. Whether you're looking to buy or sell cattle, our team can help connect you with the right buyers and sellers. Our Montana livestock auction provides a platform for you to find cattle for sale and connect with other farmers and ranchers. Whether you're looking for a specific breed or want to explore your options, our auction is the perfect place to start.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@cybersecurityworks @boerobbie and others