Netgear has issued patches to squash security vulnerabilities in two router models that can be exploited to, for instance, open a superuser-level telnet backdoor.
Those two devices are the R6400v2 and R6700v3, and you can get hot-fixes for the holes here. However, some 77 models remain reportedly vulnerable, and no fixes are available. For the full list of Netgear SOHO products said to be at-risk, see the afore-linked page.
Exploit code, developed by infosec outfit Grimm, is available on GitHub for all the models said to be vulnerable: it opens telnet daemon on port 8888, if successful. There’s technical details here.
The bugs lie in the web-based control panel of the Linux-powered equipment. It can be hijacked by sending it specially crafted data, bypassing the password protection, via the local network, or the internet if it is exposed to the world, or by tricking a victim into opening a webpage that automatically connects to the device on the LAN. Once exploited, the device can be commanded to open a backdoor, change its DNS and DHCP settings to redirect users to phishing websites, and so on.
How we got to this situation is an interesting tale. In January, Trend Micro’s Zero-Day Initiative (ZDI) privately contacted Netgear on behalf of a security researcher, called d4rkn3ss, at the Vietnamese government’s national telecoms provider. The egghead had found a way into R6700 routers via a classic buffer overflow attack, and Netgear was informed of the weakness.
ZDI and Netgear eventually agreed on a deadline of June 15 to release any necessary security updates: on that day, ZDI would go public with details of the flaw. At the end of May, Netgear asked for an extension to the end of June. ZDI rejected the request, and on Monday, emitted its advisory.
“This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Netgear R6700 routers,” ZDI explained. “Authentication is not required to exploit this vulnerability.
“The specific flaw exists within the httpd service, which listens on TCP port 80 by default. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root.”
Since it’s remote code execution, you can completely take over the router.
Speaking to The Register, ZDI senior manager of vulnerability analysis Abdul-Aziz Hariri said: “Since authentication is not required to reach this bug, anyone who can connect to the local network of the router would be capable of exploiting this vulnerability. Since it’s remote code execution, you can completely take over the router.
“In most scenarios, the attacker would be able to possibly upload a custom backdoor software and establish persistence or launch further attacks, like man-in-the-middle attacks.”
While ZDI waited for Netgear to release its patches, Grimm privately reported to Netgear in May it had found the same security hole in a bunch of the manufacturer’s products. When ZDI went public, so did Grimm: publishing an in-depth advisory showing how to exploit the holes, and released full, working proof-of-concept exploit code.
Three days later, Netgear released the aforementioned hot-fixes for two of the models. “We have already provided hot fixes for the R7000 and the R6700. The rest are forth coming,” the router-maker told The Register on Thursday.
The Grimm team noted that Netgear’s firmware lacked basic protections, such as ASLR for its programs, which makes the bugs in the equipment easy to exploit.
And this is why responsible disclosure is a good idea.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft