Disclosed Netgear Flaws Under Attack

msm1267 writes: A vulnerability in Netgear routers, already disclosed by two sets of researchers at different security companies, has been publicly exploited. Netgear, meanwhile, has yet to release patched firmware, despite apparently having built one and confirmed with one of the research teams that it addressed the problem adequately. The vulnerability is a remotely exploitable authentication bypass that affects Netgear router firmware N300_1.1.0.31_1.0.1.img, and N300-1.1.0.28_1.0.1.img. The flaw allows an attacker, without knowing the router password, to access the administration interface.

Sounds bad, but...

[JBMcB]

Looks bad, but why would anyone have their web-admin interface opened up to the internet?

Re:Sounds bad, but...

[JustAnotherOldGuy]

Looks bad, but why would anyone have their web-admin interface opened up to the internet?

Often because they don't know any better, and sometimes because they can't or don't know how. And sometimes it's because the router (for example) won't let them.

For example, my Frontier router won't let me use a 10-character password (it shipped with a 6-character password). It won't let me use most punctuation characters in the password either, reducing the possible complexity to almost nothing. The fucking thing won't even let me use spaces in the Wifi device name.

The security interface can be used, but 99% of the people that get these things will never know enough to go into the interface and set a real password. And even if they do, the router won't let them use a password long enough to provide any real protection. The Frontier tech who installed the FIOS fiber was not terribly interested in setting up a serious password, and even if they could the password length and allowed characters made any password we used to be pretty weak. This is all by design, not by accident.

no profit in patches

[Lead+Butthead]

they much rather be selling you a new router.

Re:no profit in patches

[KGIII]

Don't worry. The FCC is hard at work making sure that you'll never have the chance to fix this on your own.

Re:no profit in patches

[KGIII]

This is true. I usually buy high end stuff and chuck the stuff my ISP sends me into a box for playing with at another time. I have, seriously, dozens of routers from the ISP that haven't even been unboxed. I have 3 separate lines; one in my garage, one in my house, and one in the house that was here when I had my house built - used for guests and whatnot. Anyhow, they send me three new routers at a time - every time.

Strangely, at least once a year but usually twice a year, I get three new routers without asking for them and I never use them. I got a phone call asking me why I'd not plugged in the router they sent. I guess they want to be able to manage my router for me from their office. I neighbor has a similar setup, well the same ISP, and now he can't connect to 192.168.1.100 any more - it takes him to a connection outside of the network and through the ISP. (I wonder how he's supposed to fix it if he messes up and it no longer connects to the 'net?)

Anyhow, they asked me why I hadn't connected (after sending that batch). I told them that my current equipment worked fine. They said they had new equipment and that I had to install it. I told them no, that I didn't think I'd be doing that. They offered to send someone out to help me or to talk me through the directions on the phone. I told them that I was okay with it the way it was. The lady kept asking a few more questions and finally gave up. They've not canceled my service. In my state I can get my service from anyone that offers it. They're also not the company that put in my lines. I paid for my lines and a CO just so I could have broadband out here. I think that might also be why I have static IP addresses, can run a server, and have "business" on some of the portal sites but my bill is clearly "residential" and the price reflects that it is residential. (It's about $35/line.)

They mostly leave me alone but the send out the equipment at least once a year. I got two this year so that means I really got six. I have no idea why I'd want them to remotely manage my router. In fact, that's about the last thing I want them to do. I don't even want them coming past the edge of my house - anything on the inside is mine and I'll manage it on my own or hire a qualified professional to do so. They can run lines and provision service, that's fine. I don't even need them to provision me with any equipment, I'll take care of that too. It's not like I don't generally buy at least one extra to have on hand.

Well, I guess, I've played with my own router/access point with a Linux box at one point. I even dicked around on an old router (like a buck at a yard sale too and I'd recognized the name/model at the time) and put the Tomato (I think it was) firmware on it. It didn't break or anything and had a lot of options but there wasn't anything that I really felt I needed with it. The same goes for my roll-your-own Linux router. It was interesting and I probably learned something but I wasn't going to keep putting any effort into it and it was mostly a distraction.

I mostly grab business class routers from Cisco or the likes. I generally look at NewEgg or Amazon and find something that's not entirely consumer oriented just to make sure that I'm getting something that's going to last. They've usually got loads more options, including firewalls and sometimes even terms of service portals that people have to agree to if they use the wireless here, but I don't actually use/enable half the stuff for more than a day or two before I reset it and put it back to a pretty much stock environment. I just don't need the extra work and I only like to tinker with the stuff until I get bored. I get bored pretty quickly.

Today, more or less, I check for new firmware updates once a month or so. I don't check logs. I don't tweak, poke, push, pull, or otherwise molest it. Maybe I've just lost the 'spark' or something? I have no idea, really. There are a lot of things that I don't tweak any more. I find myself spending more and more time as a passive consumer of tech - not watching but reading a lot and, I guess, contributing in walls of mindless text such as this post or helping on various Linux forums or the likes. I'm kind of poking at tablets lately... Meh... I digress, of course.

Re:no profit in patches

[DeBaas]

Hmm, I actually got a Cisco from my ISP and ended up buying a Netgear as the Cisco was too unstable.
The Cisco is a Docsis cable modem with built in wifi router. If you use your own router you can have the modem set up in bridge mode, which I did. Ever since the connection is stable. You have to call the ISP to have the modem switch to bridge mode. Funny thing is when I did, the person on the phone agreed with me that using my own router would probably be a lot better.
I'm sure I could buy my own Docsis modem as well, but for me that thing is now part of the internet, not my home network. So it is in untrusted territory anyway. As long as it works it is fine.

Re:no profit in patches

[Zmobie]

Or when you get it install DD-WRT, Tomato, etc. and use the very nice hardware they packaged for you but not the terrible and feature deprived firmware... Seriously, no reason a router should no be able to support things like standard VPN access and yet none of the companies build this into half their high end routers... I like netgear, but their firmware blows ass...

XXXSS exploits

It is called an XXXSS exploit and it is widely documented here from Defcon 18:

https://www.youtube.com/watch?v=YDW7kobM6Ik

http://samy.pl/mapxss/

Basically, any webpage can inject an IFRAME src=https://192.168.1.1/BRS_netgear_success.html onload=malicious()

And manipulate your own INTRANET router against you.

They can also, inject DCC CHAT command within the webpage and have you post those commands through IFRAME or AJAX
and if your router is not patched and use a fixed circular buffer, the router will do something like: ...HTML CRAP...IRC COMMAND...HTML CRAP...

and say HEY, this poor user wants to do some IRC commands and I am blocking him, let's create a new rule to allow this automagically :D

and then it will execute that IRC command and open a hole in your Firewall for you, everyone loves mIRC don't you?

Re:XXXSS exploits

[sexconker]

In mIRC, open the About window and type arnie

Old news?

[YodaDaCoda]

I've known about this for months. This is news?

Re:Immediately flash all routers!

[Runaway1956]

You do realize that Tomato does much the same thing as *WRT? In some cases, for some people, Tomato might be a better choice, depending on what they are trying to do. But, yes, I agree with you. Why buy any box, mini or otherwise, if you can't control it?

It's not a flaw, bug, or vulnerability.

[Bob_Who]

It's a feature. But it looks just like a flaw. Its easy penetration functions to lower the demand on customer service by making it easier for newbies to configure throughput. These folks usually don't notice the flaw in the security, however. Those who do notice vulnerabilities in most all networks are simply paying attention. The details of reality imbue a false sense of security as we imbibe the rivers of denial. De Nile is not just Da River in Egypt.