Home Tags CGI

Tag: CGI

VU#350135: Various WiMAX routers contain a authentication bypass vulnerability in custom...

WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote,unauthenticated attacker to change the administrator password on the device.

Carrie Fisher will be in Star Wars: Episode 9 without CGI

Brother confirms existing footage, not CGI, will be used to complete Episode IX.

Pushing apps to the edge, Fly.io puts middleware in the cloud

New service puts logic closer to users, aims to be "global load balancer" for apps.

Ghost In The Shell film might be the most disappointing live-action...

This average action film looks so much worse through the lens of its original form.

With Logan, Wolverine finally gets the movie he deserves

It’s also one of the best X-Men movies, period.

VU#614751: Hughes satellite modems contain multiple vulnerabilities

Several models of Hughes high-performance broadband satellite modems are potentially vulnerable to several issues if not appropriately configured.

Netgear starts patching routers affected by a critical flaw

Networking device manufacturer Netgear released firmware updates for several router models in order to patch a critical vulnerability that’s publicly known and could be exploited by hackers. The vulnerability was disclosed by a researcher Friday and affects multiple Netgear router models, many from the company’s Nighthawk series.

The company initially confirmed the flaw in three models—R6400, R7000, R8000—but it has since expanded the list to include five more. The models confirmed to be affected so far are: R6250, R6400, R6700, R7000, R7100LG, R7300, R7900, and R8000.

This list might not be complete as Netgear continues to analyze the flaw’s impact to its entire router portfolio. The company is working on firmware updates for all affected router models, but for now it only released beta versions for R6400, R7000, and R8000.

Beta firmware versions for some of the remaining models will be released as early as Tuesday, the company said in an advisory. “This beta firmware has not been fully tested and might not work for all users,” the company said in its advisory. “Netgear is offering this beta firmware release as a temporary solution, but Netgear strongly recommends that all users download the production version of the firmware release as soon as it is available.” The vulnerability allows attackers to execute arbitrary shell commands on affected devices by sending maliciously crafted HTTP requests to their web-based management interfaces.

The U.S.

CERT Coordination Center (CERT/CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS). Until a firmware update becomes available for their routers, users can use a workaround that actually exploits the vulnerability in order to stop the router’s web server and prevent further exploitation.

This can be done by accessing http://[router_IP_address]/cgi-bin/;killall$IFS’httpd’ in a browser from a computer on the same network as the router, but the mitigation only lasts until the device is rebooted.

US-CERT’s top tip: Hack your crap Netgear router before miscreants arrive

Command-injection hole can only be closed by killing web server – or the whole thing Owners of three models of Netgear routers are being advised to exploit a security hole in their broadband boxes to, er, temporarily close said hole.

The alternative is to switch off the boxes until a firmware update lands. Netgear says that the R6400, R7000, and R8000 series routers are all vulnerable to CVE-2016-582384, a command-injection bug that is trivial to exploit: you simply have to trick someone on the router's local network into opening a booby-trapped webpage. We're told R7500, R7800, R8500 and R9000 models are also at-risk. An attacker could direct a victim to a malicious website that abuses the design flaw, or malware on the network could connect to the vulnerable box and exploit the vulnerability directly.

The end result is countless routers potentially being silently meddled with or infected and hijacked. Due to a major bug in the way the routers' builtin HTTP server parses requests, you can inject commands into a box by fetching the following URL: http://<router_IP>/cgi-bin/;COMMAND The web server code executes the given command string effectively as the root user; the underlying operating system is BusyBox Linux.
So, if one of the affected models is usually on the local IP address 192.168.0.1, for example, then the following HTML embedded in a webpage will force a reboot when someone on the LAN visits that page – effectively creating a denial-of-service: <img src="http://192.168.0.1/cgi-bin/;reboot" alt=""> US-CERT says an exploit targeting the flaw has already been publicly disclosed. "Exploiting this vulnerability is trivial," the security bods caution. "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available." Administrators, meanwhile, are less than thrilled with Netgear for its security miscue. Are you shitting me @netgear. (Exploit by @Acew0rm1) pic.twitter.com/Y6hLuF0AEv — SwiftOnSecurity (@SwiftOnSecurity) December 11, 2016 Security researcher Acew0rm was credited with discovering and disclosing the flaw over the weekend, as well as developing the proof-of-concept exploit. We're told Ace warned Netgear about this issue months ago but seemingly nothing was done about it. While Netgear says it is still working on a firmware fix for the flaw, US-CERT says the hole can be closed by disabling the router's web server feature with the following URL: http://<router_IP>/cgi-bin/;killall$IFS'httpd' That request, which exploits the vulnerability itself, disables the builtin HTTP server that is used to administer the device.
In other words, customers are being urged to lightly hack their own boxes before an attacker can exploit it for nefarious ends. US-CERT notes that after executing the command, users will be unable to manage or control the router via the HTTP server until the box is rebooted or power cycled.

A software fix is needed from Netgear to permanently squash the bug. "We appreciate and value having security concerns brought to our attention. Netgear constantly monitors for both known and unknown threats," Netgear said in its alert. "Being pro-active rather than re-active to emerging security issues is fundamental for product support at Netgear." ® Sponsored: Customer Identity and Access Management

Stop using Netgear routers with unpatched security bug, experts warn

EnlargeSinchen.Lin reader comments 41 Share this story A variety of Netgear router models are vulnerable to a simple hack that allows attackers to take almost complete control of the devices, security experts warned over the weekend. The critical b...

An unpatched vulnerability exposes Netgear routers to hacking

Several models of Netgear routers are affected by a publicly disclosed vulnerability that could allow hackers to take them over. An exploit for the vulnerability was published Friday by a researcher who uses the online handle Acew0rm. He claims that he reported the flaw to Netgear in August, but didn’t hear back. The issue stems from improper input sanitization in a form in the router’s web-based management interface and allows the injection and execution of arbitrary shell commands on an affected device. The U.S.

CERT Coordination Center (CERT/CC) at Carnegie Mellon University rated the flaw as critical, assigning it a score of 9.3 out of 10 in the Common Vulnerability Scoring System (CVSS). Netgear confirmed the vulnerability over the weekend and said that its R7000, R6400, and R8000 routers might be vulnerable. However, another researcher performed a test and reported that other routers from Netgear’s Nighthawk line are also affected.

These include: R7000, R7000P, R7500, R7800, R8500, and R9000. Users can check if their models are affected by accessing the following URL in a browser when connected to their local area network (LAN): http://[router_ip_address]/cgi-bin/;uname$IFS-a .
If this shows any information other than a error or a blank page, the router is likely affected. In some cases, replacing the IP address with www.routerlogin.net or www.routerlogin.com might also work, because Netgear routers resolve these domains names to their own local IP address. Since the vulnerability can be exploited with an HTTP request that doesn’t require authentication, hackers can attack the affected routers using cross-site request forgery attacks (CSRF).

This works even when the routers don’t have their management interfaces exposed to the Internet. CSRF attacks hijack users’ browsers when visiting specifically crafted webpages and send unauthorized requests through them.

This makes it possible for a malicious website to force a user’s browser to exploit the router over the LAN. CERT/CC recommends that users stop using the affected routers until an official patch becomes available, if they can do so. However, there is a workaround that involves exploiting the flaw to stop the router’s web server and prevent future attacks.

This can be done with the following command: http://[router_IP_address]/cgi-bin/;killall$IFS’httpd’ . Because the web server will be shut down, the management interface will no longer be available and further attempts to exploit the vulnerability will fail, but this is only a temporary solution and needs to be reapplied every time the router is rebooted. In order to protect themselves from CSRF attacks against routers in general, users should change their router’s default IP address. Most of the time, routers will be assigned the first address in a predefined netblock, for example 192.168.0.1, and these are the addresses that hackers will try to attack via CSRF. Routers have become an attractive target for hackers in recent years as they can be used to spy on user traffic and launch other attacks. Most commonly they are infected with malware and used in distributed denial-of-service (DDoS) campaigns. There are many steps that users can take to improve the security of their routers and make it less likely that they will get hacked.

VU#582384: Multiple Netgear routers are vulnerable to arbitrary command injection

Netgear R6250,R6400,R6700,R6900,R7000,R7100LG,R7300DST,R7900,R8000,D6220,and D6400 routers and possibly other models are vulnerable to arbitrary command injection.

Sony kills off secret backdoor in 80 internet-connected CCTV models

Magic 'secret key' HTTP request opens up admin control Sony has killed off what, charitably, looks like a debug backdoor in 80 of its web-connected surveillance cameras that can be exploited to hijack the devices. The hardcoded logins can be potentially used by malware, such as variants of the Mirai bot and its ilk, to automatically and silently commandeer swathes of Sony-built CCTV cams on the internet – and use the gadgets to launch attacks on other systems or spy on their owners.

The vulnerable gizmos are branded Sony Professional Ipela Engine IP cameras. The backdoor was discovered by Stefan Viehböck of Austrian infosec outfit SEC Consult in October; we're told an advisory will be published here today.

Firmware updates to kill off the vulnerability are already available from sony.co.uk. "We are grateful to SEC Consult for their assistance in enhancing network security for our network cameras," Sony said. The firmware contains two hardcoded, permanently enabled accounts in the builtin web-based admin console: debug with the password popeyeConnection, and primana with the password primana.

The latter, coupled with magic strings in the URL, unlocks telnet access, potentially granting administrative access to the camera via a command line. Later models can open an SSH server, too. For example, the following URLs, once sent to a vulnerable web-facing device, will enable telnet access: http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=zKw2hEr9 http://primana:primana@HOST/command/prima-factory.cgi?foo=bar&Telnet=cPoq2fi4cFk This triggers the prima-factory.cgi program in Sony's fifth-generation Ipela Engine cameras to open the backdoor by starting inetd, which is configured to run a telnet daemon on port 23.
Sixth-generation cams use the magic string "himitunokagi", which is Japanese for "secret key". Once the telnet or SSH service is active, you can login as root and get command-line-level access to the operating system if you can crack these password hashes: $1$$mhF8LHkOmSgbD88/WrM790 (gen-5 models) iMaxAEXStYyd6 (gen-6 models) SEC Consult reckons it'll only be a matter of time before the hashes are cracked, revealing the hardcoded root login password, so it's recommended firmware updates are applied to at-risk cameras before they are infected by miscreants. "We have not invested much time into cracking the root password, but this is only a matter of time and computing power, so eventually it will be cracked by someone," Johannes Greil, head of SEC Consult's Vulnerability Lab, told The Register. "We want vendors to get their act together and make more secure products out of the box and not actually harm their users with insecure IoT products. Publishing the root account password and making the devices an instant Mirai-botnet target is of no good to anyone." The devices also have a default username and password combo of admin:admin for the web-based admin console.

The primana account in the builtin web server gets you access to device testing and calibration features, and the debug account opens up other features SEC Consult has yet to explore. The affected models use firmware version 1.82.01 or earlier if they are fifth generation, or 2.7.0 or earlier if they are sixth generation.

Firmware versions 1.86.00 and 2.7.2 contain the fixes, we're told.
Specifically, if you have any of the following models, you should check if you have the latest firmware installed: SNC-CX600, SNC-CX600W, SNC-EB600, SNC-EB600B, SNC EB602R, SNC-EB630, SNC-EB630B, SNC-EB632R, SNC-EM600, SNC-EM601, SNC-EM602R, SNC-EM602RC, SNC-EM630, SNC-EM631, SNC-EM632R, SNC-EM632RC, SNC-VB600, SNC-VB600B, SNC-VB600B5, SNC-VB630, SNC-VB6305, SNC-VB6307, SNC-VB632D, SNC-VB635, SNC-VM600, SNC-VM600B, SNC-VM600B5, SNC-VM601, SNC-VM601B, SNC-VM602R, SNC-VM630, SNC-VM6305, SNC-VM6307, SNC-VM631, SNC-VM632R, SNC-WR600, SNC-WR602, SNC-WR602C, SNC-WR630, SNC-WR632, SNC-WR632C, SNC-XM631, SNC-XM632, SNC-XM636, SNC-XM637, SNC-VB600L, SNC-VM600L, SNC-XM631L, SNC-WR602CL, SNC-CH115, SNC-CH120, SNC-CH160, SNC-CH220, SNC-CH260, SNC-DH120, SNC-DH120T, SNC-DH160, SNC-DH220, SNC-DH220T, SNC-DH260, SNC-EB520, SNC-EM520, SNC-EM521, SNC-ZB550, SNC-ZM550, SNC-ZM551, SNC-EP550, SNC-EP580, SNC-ER550, SNC-ER550C, SNC-ER580, SNC-ER585, SNC-ER585H, SNC-ZP550, SNC-ZR550, SNC-EP520, SNC-EP521, SNC-ER520, SNC-ER521, and SNC-ER521C. "SEC Consult recommends you not to use these products until a thorough security review has been performed by security professionals," the infosec biz warns. ® Sponsored: Customer Identity and Access Management