NETGEAR Wireless Cable Modem Gateway Auth Bypass and CSRF

HTML Code:

Release Date.                  20-Sep-2011 Last Update.                    - Vendor Notification Date.      22-Mar-2011 Product.                        NETGEAR Wireless Cable Modem Gateway                                 CG814WG Affected versions.             Hardware 1.03,                                 Software V3.9.26 R14 verified,                                 possibly others Severity Rating.               High Impact.                         Authentication bypass,                                 Cross Site Request Forgery Attack Vector.                 Remote without  authentication Solution Status.               Upgrade to R15 (by  contacting NETGEAR) CVE reference.                 Not yet assigned    Details. The NETGEAR Wireless Cable Modem Gateway CG814WG is supplied by  ISP's as customer premises equipment within Australia and abroad. It is  a centrally managed ISP solution whereby each ISP's devices run a  customised firmware and configuration changes and updates can be pushed  out as required.   Basic authentication is used as the primary and only  authentication mechanism for the administrator interface on the device.  The basic authentication can be bypassed by sending a valid POST request  to the device without sending any authentication header. The response  from the device sends the user to another page that requests basic  authentication, however at this point the request has already been  processed.   An example of attacks using the basic authentication bypass  may include changing the admin password or enabling the remote admin  interface (Internet facing).   Additionally, due to the lack of CSRF  protection in the web application, the bypass attack can be coupled with  CSRF to have a victim enable the remote admin interface to the  Internet, where an attacker can then use the bypass attack again across  the remote admin interface to reset the admin password and access the  device. This attack is possible when targeting a victim that is behind  the NETGEAR device on the same segment as the web administrator  interface whom has browsed to a malicious site containing the CSRF  attack.   NETGEAR was notified of this vulnerability on 22 March 2011,  but we never received a response or acknowledgement of the issue or fix.  Sense of Security notified local ISP's and it was escalated by a local  ISP who worked with NETGEAR to develop and test an update. Sense of  Security was never provided an opportunity to validate the fixes in the  latest firmware version. Given the severity of the issue it would be  prudent for NETGEAR to notify and supply an update to all of its  customers.   Proof of Concept. By embedding the below HTML in a website  and having a victim browse to the website the remote management  interface to the Internet would be enabled. An attacker could then use  one of the hardcoded passwords for the device to access it, or use a  basic authentication bypass to change the admin password. Alternatively,  the attacker could conduct a CSRF attack that implements two POST  requests to have the remote admin interface enabled, and the admin  password changed.   The example here is a basic proof of concept, more  complex examples which include JavaScript redirects to mask the basic  authentication pop-up would be more stealthy.      

"http://192.168.0.1/goform/RgRemoteManagement"
method="POST" name="form"> "hidden"  name="NetgearRmEnable" value="0x01"> "hidden"  name="NetgearRmPortNumber" value="1337"> "hidden"  name="NetgearUserLevel" value="1">      Solution. Ask your ISP to obtain the latest firmware  from NETGEAR and deploy it to your device.   Discovered by. Sense of  Security Labs.  :80: