Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor.

Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are available. For the full list of Netgear SOHO products said to be at-risk, see the afore-linked page.

Exploit code, developed by infosec outfit Grimm, is available on GitHub for all the models said to be vulnerable: it opens telnet daemon on port 8888, if successful. There’s technical details here.

The bugs lie in the web-based control panel of the Linux-powered equipment. It can be hijacked by sending it specially crafted data, bypassing the password protection, via the local network, or the internet if it is exposed to the world, or by tricking a victim into opening a webpage that automatically connects to the device on the LAN. Once exploited, the device can be commanded to open a backdoor, change its DNS and DHCP settings to redirect users to phishing websites, and so on.

How we got to this situation is an interesting tale. In January, Trend Micro’s Zero-Day Initiative (ZDI) privately contacted Netgear on behalf of a security researcher, called d4rkn3ss, at the Vietnamese government’s national telecoms provider. The egghead had found a way into R6700 routers via a classic buffer overflow attack, and Netgear was informed of the weakness.

ZDI and Netgear eventually agreed on a deadline of June 15 to release any necessary security updates: on that day, ZDI would go public with details of the flaw. At the end of May, Netgear asked for an extension to the end of June. ZDI rejected the request, and on Monday, emitted its advisory.

“This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Netgear R6700 routers,” ZDI explained. “Authentication is not required to exploit this vulnerability.

“The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.”

Since it’s remote code execution, you can completely take over the router.

Speaking to The Register, ZDI senior manager of vulnerability analysis Abdul-Aziz Hariri said: “Since authentication is not required to reach this bug, anyone who can connect to the local network of the router would be capable of exploiting this vulnerability. Since it’s remote code execution, you can completely take over the router.

“In most scenarios, the attacker would be able to possibly upload a custom backdoor software and establish persistence or launch further attacks, like man-in-the-middle attacks.”

While ZDI waited for Netgear to release its patches, Grimm privately reported to Netgear in May it had found the same security hole in a bunch of the manufacturer’s products. When ZDI went public, so did Grimm: publishing an in-depth advisory showing how to exploit the holes, and released full, working proof-of-concept exploit code.

Three days later, Netgear released the aforementioned hot-fixes for two of the models. “We have already provided hot fixes for the R7000 and the R6700. The rest are forth coming,” the router-maker told The Register on Thursday.

The Grimm team noted that Netgear’s firmware lacked basic protections, such as ASLR for its programs, which makes the bugs in the equipment easy to exploit.

Source: Netgear was told in January its routers can be hacked and hijacked. This week, first patches released – after exploits, details made public • The Register

And this is why responsible disclosure is a good idea.

A newly discovered spyware effort attacked users through 32 million downloads of extensions to Google’s market-leading Chrome web browser, researchers at Awake Security told Reuters, highlighting the tech industry’s failure to protect browsers as they are used more for email, payroll and other sensitive functions.

Alphabet Inc’s (GOOGL.O) Google said it removed more than 70 of the malicious add-ons from its official Chrome Web Store after being alerted by the researchers last month.

[,,,]

Most of the free extensions purported to warn users about questionable websites or convert files from one format to another. Instead, they siphoned off browsing history and data that provided credentials for access to internal business tools.

Based on the number of downloads, it was the most far-reaching malicious Chrome store campaign to date, according to Awake co-founder and chief scientist Gary Golomb.

Google declined to discuss how the latest spyware compared with prior campaigns, the breadth of the damage, or why it did not detect and remove the bad extensions on its own despite past promises to supervise offerings more closely.

It is unclear who was behind the effort to distribute the malware. Awake said the developers supplied fake contact information when they submitted the extensions to Google.

“Anything that gets you into somebody’s browser or email or other sensitive areas would be a target for national espionage as well as organized crime,” said former National Security Agency engineer Ben Johnson, who founded security companies Carbon Black and Obsidian Security.

The extensions were designed to avoid detection by antivirus companies or security software that evaluates the reputations of web domains, Golomb said.

If someone used the browser to surf the web on a home computer, it would connect to a series of websites and transmit information, the researchers found. Anyone using a corporate network, which would include security services, would not transmit the sensitive information or even reach the malicious versions of the websites.

“This shows how attackers can use extremely simple methods to hide, in this case, thousands of malicious domains,” Golomb said.

After this story’s publication, Awake released its research, including the list of domains and extensions. here

All of the domains in question, more than 15,000 linked to each other in total, were purchased from a small registrar in Israel, Galcomm, known formally as CommuniGal Communication Ltd.

Awake said Galcomm should have known what was happening.

In an email exchange, Galcomm owner Moshe Fogel told Reuters that his company had done nothing wrong.

“Galcomm is not involved, and not in complicity with any malicious activity whatsoever,” Fogel wrote. “You can say exactly the opposite, we cooperate with law enforcement and security bodies to prevent as much as we can.”

[…]

Malicious developers have been using Google’s Chrome Store as a conduit for a long time. After one in 10 submissions was deemed malicious, Google said in 2018 here it would improve security, in part by increasing human review.

But in February, independent researcher Jamila Kaya and Cisco Systems’ Duo Security uncovered here a similar Chrome campaign that stole data from about 1.7 million users. Google joined the investigation and found 500 fraudulent extensions.

Source: Exclusive: Massive spying on users of Google’s Chrome shows new security weakness – Reuters