Taking over the Netgear WNDR4700

[return to summary]

• The WNDR4700 can be trivially taken over by any adversary on the LAN or WLAN.
• If remote management is enabled, the WNDR4700 can be trivially taken over by a remote adversary.

Description

The Netgear WNDR4700 router is susceptible to an authentication bypass attack. Without providing credentials, an attacker on the LAN can access a specific page on this router's embedded web server that permanently breaks authentication on the device (until factory reset). Once this attack is performed, anyone on the local network can access the router's administration interface without providing a username or password. This same attack is possible from the WAN if remote management has been enabled. Administrators should disable remote management immediately.

By default remote management of the WNDR4700 is not enabled, but remote take over of the WNDR4700 may still be possible (though was not confirmed). The firmware on the WNDR4700 takes countermeasures to protect against cross-site request forgery in the form of anti-forgery tokens. In another Netgear router we evaluated, we found that the CSRF tokens were poorly chosen, and could be guessed easily by a remote adversary. We did not investigate what algorithm is used to generate tokens on the WNDR4700, but the inability to perform cross-site request forgery prevents this authentication bypass from escalating to a full, remote compromise without an alternative attack method.

Local Attack Requirements

• An attacker must have access to a machine on the local network, either by physically connecting, or by compromising a machine on the local network through other means (e.g., via malware).

Remote Attack Requirements

• Remote management must be enabled on the WNDR4700.

Details

The full attack is performed by simply accessing the page:

http://[router_ip]/BRS_03B_haveBackupFile_fileRestore.html

where [router_ip] is the IP address of the router. After accessing this page, the WNDR4700 no longer requires a username or password to access the administrative interface. This persists even when the router is power cycled, and can only be remedied by a reset to factory default settings.

The Netgear telnetenable utility is another method to gain access to the router, but is not necessary for this attack.

• Vulnerable Firmware is V1.0.0.34.
• Other versions of the firmware were not tested.

Impact

A successful attack exploiting this vulnerability can give a local adversary full control of the victim router.

Recommendations to the vendor

• Ideally, a router should never disable authentication, even temporarily.
• If this must be possible, functionality that disables authentication on a router should never be accessible to an unauthenticated user.
• Any measures that disable authentication should be purely temporary and should not persist through a device reboot.

Recommendations to device administrators

• (4/13/2013) There is not currently an available firmware upgrade that remedies this vulnerability.
• Take additional preventative measures and precautions by following the steps outlined on our summary page here.

References

• Netgear-telnetenable on Google Code
• CVE-2013-3069: Cross-Site Scripting
• CVE-2013-3070: Information Disclosure
• CVE-2013-3071: Authentication Bypass
• CVE-2013-3072: Unauthenticated Hardware Linking
• CVE-2013-3073: SMB Symlink Traversal
• CVE-2013-3074: Media Server Denial of Service

Credit

• Discovered By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators
• Exploited By: Jacob Holcomb – Security Analyst @ Independent Security Evaluators

Contact Information

• For more information on this particular Belkin hack, you can contact us at routers@www.ise.io
• Alternatively, for more general information on ISE, you can reach us using contact@www.ise.io