Netgear Zero-Day Allows Full Takeover of Dozens of Router Models

zero day

An unpatched vulnerability in the web server of device firmware gives attackers root privileges, researchers said.

UPDATED

Researchers this week said they discovered an unpatched, zero-day vulnerability in firmware for Netgear routers that put 79 device models at risk for full takeover, they said.

Netgear has since issued several hot fixes, available here.

The flaw, a memory-safety issue present in the firmware’s httpd web server, allows attackers to bypass authentication on affected installations of Netgear routers, according to two separate reports: One on the Zero Day Initiative (ZDI) by a researcher called “d4rkn3ss” from the Vietnam Posts and Telecommunications Group; and a separate blog post by Adam Nichols of cybersecurity firm Grimm.

“The specific flaw exists within the httpd service, which listens on TCP Port 80 by default,” according to the ZDI report, which covers the bug’s presence in the R6700 series Netgear routers. “The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, stack-based buffer.”

Authentication is not required to exploit the vulnerability, which attackers can use to gain root privileges, according to the report.

ZDI said it informed Netgear of the vulnerability in January. The vendor had asked for an extension until the end of June for public disclosure, which ZDI declined.

For his part, Nichols discovered the flaw initially in the Netgear R7000 router series, but eventually identified 79 different Netgear devices and 758 firmware images that included a vulnerable copy of the web server.

“This vulnerability affects firmwares as early as 2007 (WGT624v4, version 2.0.6),” he said in his post. “Given the large number of firmware images, manually finding the appropriate gadgets is infeasible. Rather, this is a good opportunity to automate gadget detection.”

Nichols said that the problem lies in lack of support for a feature called stack cookies, or stack canaries—a reference to the use of a “canary in a coal mine”–which are used to detect a stack buffer overflow before execution of malicious code can occur, he explained. While some Netgear routers support this feature – namely, the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 – most others do not, he said.

“Later versions of the D8500 and R6300v2 stopped using stack cookies, making this vulnerability once again exploitable,” Nichols explained in the post. “This is just one more example of how SOHO device security has fallen behind as compared to other modern software.”

Web servers in the firmware of SOHO devices in general are often the most vulnerable aspect of the system as they “must parse user input from the network and run complex CGI functions that use that input,” he said.

“Furthermore, the web server is written in C and has had very little testing, and thus it is often vulnerable to trivial memory-corruption bugs,” Nichols said.

Exploitation

The zero-day vulnerability can be exploited in two ways, Nichols explained in his post. One way to is to exploit the recv function used in the http parser in the web server through a series of steps that eventually lead to a stack-buffer overflow.

Attackers also can use a cross-site request forgery (CSRF) attack to exploit the vulnerability, though he or she needs to know the model and version of the router they’re targeting to pull this off successfully, he explained.

“If a user with a vulnerable router browses to a malicious website, that website could exploit the user’s router … by serving an HTML page which sends an AJAX request containing the exploit to the target device:” Nichols said. “However, as the CSRF web page cannot read any responses from the target server, it is not possible to remotely fingerprint the device.”

One mitigation for the vulnerability is to restrict interaction with the service to trusted machines, according to the ZDI report.

“Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it,” according to the report. “This could be accomplished in a number of ways, most notably with firewall rules/whitelisting.”

In March, Netgear patched a critical remote code execution bug that could allow an unauthenticated attacker to take control of its Wireless AC Router Nighthawk (R7800) hardware running firmware versions prior to 1.0.2.68. It also addressed two high-severity bugs impacting Nighthawk routers, 21 medium-severity flaws and one rated low.

This story was updated June 25, 2000 at 11:30 a.m. ET to include information on Netgear’s hot fixes.

Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about itPlease register here for this Threatpost webinar.

Suggested articles