Western Digital My Net ‘main_internet.php’文件信任管理漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121793 漏洞类型 信任管理
发布时间 2013-08-02 更新时间 2013-08-02
CVE编号 CVE-2013-5006 CNNVD-ID CNNVD-201307-666
漏洞平台 Hardware CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/27288
https://www.securityfocus.com/bid/61361
https://cxsecurity.com/issue/WLB-2013080014
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201307-666
|漏洞详情
WesternDigitalMyNetN600、N750、N900和N900C都是美国西部数据(WesternDigitalCorporation)公司的无线路由器产品。main_internet.php文件中存在安全漏洞。远程攻击者可通过读取HTML源代码中的‘varpass=’行利用该漏洞发现管理员明文密码。以下产品版本受到影响:带有固件的WesternDigitalMyNetN600和N7501.03.12和1.04.16版本,带有固件的WesternDigitalMyNetN900和N900C1.05.12,1.06.18及1.06.28版本。
|漏洞EXP
Vulnerable Systems:
Western Digital My Net Series Wireless Routers:
N600  Firmware 1.03.12
N600  Firmware 1.04.16

N750  Firmware 1.03.12
N750  Firmware 1.04.16

N900  Firmware 1.05.12
N900  Firmware 1.06.18
N900  Firmware 1.06.28

N900C Firmware 1.05.12
N900C Firmware 1.06.18
N900C Firmware 1.06.28

CVE 2013-5006
CWE-256 Plaintext Storage of a Password
CVSS Base Score    4.3
CVSS Impact Subscore     2.9
Cvss Expoit Score   8.6
(AV:N/AC:M/Au:N/C:P/I:N/A:N/E:POC/RL:U/RC:UR/CDP:H/TD:H/CR:H/IR:H/AR:H)

Proof of concept:
curl -s http://<IP>:8080/main_internet.php? | egrep -i 'var pass'

which will give an output similar to this ex:
var pass="";

Details:
By sending a specially crafted command to the affected routers, the clear text password for the admin account can be extracted, with no authentication required to access the page where it is stored.

During the initial setup of these four routers with the affected firmware, the admin password is stored in clear text on the main_internet.php? source code page as the value for 'var pass'. For this bug to exploitable from a remote network attack, UPnP and remote administrative access (port 8080 is set by default) must be enabled.

The vendor has not responded to any inquiries concerning the bug.

External Sources:
OSVDB - http://www.osvdb.org/show/osvdb/95519
CVE-Mitre - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5006
IBM xforce - http://xforce.iss.net/xforce/xfdb/85903
Bugtraq/SecList - http://www.securityfocus.com/archive/1/527433
Security Database - http://www.security-database.com/detail.php?alert=CVE-2013-5006

Vendor's Network Router Product Pages:
http://www.wdc.com/en/products/network/routers/
http://support.wdc.com/download/notes/My_Net_N900C_FW_Release_Notes_1.07.16.pdf?v=9564
http://support.wdc.com/download/notes/My_Net_N900_FW_Release_Notes_1.07.16.pdf?v=7436
http://support.wdc.com/download/notes/My_Net_N750_FW_Release_Notes_1_04_16.pdf?v=6879
http://support.wdc.com/download/notes/My_Net_N600_FW_Release_Notes_1_04_16.pdf?v=4950

Additional Notes/Fixes/Workarounds:

Firmware notes: N900 and N900C with firmware 1.07.16 released on 05/2013 fixes the bug. It is advised that users with the N900 or N900C upgrade to 1.07.16.  Earlier firmware releases of 1.02.02, 1.03.11 and 1.04.08 are unaffected.

N600 and N750 with the earlier firmware 1.01.04 and 1.01.20 are unaffected by this bug. Firmware 1.02.08 was not tested. The 'workaround' for these two model routers, which will only stop network side attacks, is for the end user to disable remote administrative access capabilities.

Discovered - 07-02-2013
Updated - 07-31-2013
Research Contact - K Lovett
Affiliation - SUSnet
|参考资料

来源:XF
名称:my-net-info-disc(85903)
链接:http://xforce.iss.net/xforce/xfdb/85903
来源:OSVDB
名称:95519
链接:http://www.osvdb.org/95519
来源:BUGTRAQ
名称:20130722FullDisclosure-WDMyNetN600,N750,N900,N900C-PlainTextDisclosureofAdminCredentials
链接:http://archives.neohapsis.com/archives/bugtraq/2013-07/0146.html
来源:BUGTRAQ
名称:20130718WesternDigitalMyNetN600,N750,N900andN900C-Plaintextdisclosureofadministrativecredentials
链接:http://archives.neohapsis.com/archives/bugtraq/2013-07/0133.html