News

NETGEAR routers vulnerable to “root” code execution, no patch yet

In a recently released vulnerability disclosure from d4rkn3ss from VNPT ISC as well as Adam Nichols of GRIMM, we learn of an unpatched vulnerability impacting at least 79 NETGEAR router models that can let an attacker execute code with “root” privileges.

Nichols downloaded NETGEAR firmware from their website and began decompiling it using disassemblers and analysis tools like Hex-Rays.

The researcher was able to quickly figure out, browsing through the web server’s code in the firm, that certain variables, such as user_input were vulnerable to an overflow.

Image credit: Grimm

“After the call to read_content (the recv helper function), the parser does some error checking, combines the received content with any previously received content, and then looks for the strings name="mtenFWUpload" and "\r\n\r\n" in the user input,” states the disclosure.

“If the user input contains these strings, the rest of the user input after these strings is passed to the abCheckBoardID function. Grepping the firmware’s root file system, we can see that the string mtenFWUpload is referenced from the files www/UPG_upgrade.htm and www/Modem_upgrade.htm, and thus we can conclude that this is part of the router’s upgrade functionality.”

While most modern devices have protection technologies like “stack canaries”, ASLR and DEP to protect against code execution, should a buffer overflow exploit succeed, this isn’t the case for select NetGear models.

“In most modern software, this vulnerability would be unexploitable. Modern software typically contains stack cookies which would prevent exploitation. However, the R7000 does not use stack cookies. In fact, of all of the Netgear products which share a common codebase, only the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 use stack cookies. However, later versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable. This is just one more example of how SOHO device security has fallen behind as compared to other modern software.”

Nichols has provided a proof-of-concept (exploit) for the vulnerability.

Image credit: Telnet enabled by running exploit

The same vulnerability was also disclosed on Zero Day Initiative (ZDI) by d4rkn3ss from VNPT ISC and has been assigned the identifier, ZDI-CAN-9703 while a CVE assignment is pending.

While 79 models of NetGear routers remain unpatched, the disclosures of this vulnerability did not follow the standard guidelines, reads the ZDI advisory:

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”

A list of 79 router models that are vulnerable is as follows:

AC1450MBR1516WGR614v9
D6220MBRN3000WGR614v10
D6300MVBR1210CWGT624v4
D6400R4500WN2500RP
D7000v2R6200WN2500RPv2
D8500R6200v2WN3000RP
DC112AR6250WN3100RP
DGN2200R6300WN3500RP
DGN2200v4R6300v2WNCE3001
DGN2200MR6400WNDR3300
DGND3700R6400v2WNDR3300v2
EX3700R6700WNDR3400
EX3800R6700v3WNDR3400v2
EX3920R6900WNDR3400v3
EX6000R6900PWNDR3700v3
EX6100R7000WNDR4000
EX6120R7000PWNDR4500
EX6130R7100LGWNDR4500v2
EX6150R7300WNR834Bv2
EX6200R7850WNR1000v3
EX6920R7900WNR2000v2
EX7000R8000WNR3500
LG2200DR8300WNR3500v2
MBM621R8500WNR3500L
MBR624GURS400WNR3500Lv2
MBR1200WGR614v8XR300
MBR1515

At this time, it is not known when will a patch be released.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.