Title: Multiple vulnerabilities in NETGEAR N300 WIRELESS ADSL2+ MODEM ROUTER DGN2200 ==================================================================================== Notification Date: 11 February 2014 Affected Vendor: NetGear Affected Hardware: NetGear DGN2200 N300 Wireless ADSL2+ Modem Router Firmware Version: V1.0.0.36-7.0.37 Issue Types: * Command Injection * Cross-site Request Forgery * UPNP Exploitation through Cross-site Request Forgery * Insecure FTP Root * Cannot Disable WPS * Passwords Stored in Plaintext * Information Disclosure * Firmware Update MITM Advisory Code: AIS-2014-003 Discovered by: Andrew Horton Issue status: No patch available - product beyond End of Life Summary ======= BAE Systems Applied Intelligence researcher, Andrew Horton has identified that the NetGear N300 Wireless ADSL 2+ Modem Router model DGN2200 suffers from multiple vulnerabilities which may be exploited by both local and remote attackers. This enables an attacker to completely compromise the device and stage further attacks against the local network and internet. NetGear have indicated that this product is beyond its end of life and therefore these vulnerabilities will not be patched. As a result, BAE Systems have delayed release of this advisory for over 12 months to reduce the likelihood of active exploitation. 1. UPNP Vulnerable to CSRF =========================== Requires -------- Luring an unauthenticated or authenticated user to an attacker-controlled webpage. Description ----------- The Universal Plug and Play (UPNP) implementation used by NetGear accepts an HTTP POST request as a valid XML request, rendering the UPNP service vulnerable to inter-protocol Cross-Site Request Forgery attacks. This can be used to bypass or alter firewall rules. The UPNP interface of the router listens on TCP port 5000 and can only be accessed from the LAN side of the device. UPNP requests do not require authentication with passwords. This vulnerability exists because the request is initiated by a user's browser on the LAN side of the device. Impact ------ Using this vulnerability, BAE Systems was able to add new firewall rules to enable internet access to the insecure telnet port and the admin web interface. Proof of concept ---------------- The following webpage will make telnet for the router accessible to the internet so that it may be attacked using the GearDog backdoor (See issue 5). The GearDog backdoor is a known remote access backdoor implemented in many NetGear products. This requires brute-forcing the MAC address.