There is a vulnerability in some Netgear wireless routers that allows a remote attacker to completely compromise a device and gain root privileges. The bug is trivially exploitable and the researcher who discovered it has posted a proof-of-concept exploit.
The vulnerability is a command-injection flaw that, when combined with a separate authentication-bypass bug that the same researcher discovered, can give an attacker simple root access to vulnerable routers. The bug is in the Netgear WNDR3700v4 router, a home dual-band gigabit router, and Zach Cutlip, the researcher who discovered the flaw said his exploit can exploit the bug, disable authentication, open a Telnet server and then restore the router to its original state so the user doesn’t realize anything has happened.
The vulnerability involves a function called cmd_ping6 (), which is meant to ping any given hostname of IPv6 address. However, the vulnerability in the firmware enables an attacker to use this function as a vector to compromise the target router and then do whatever he chooses. The bug affects versions 220.127.116.11 and 18.104.22.168 of the router’s firmware.
“What is happening here, as it so often does, is the host string gets copied into a shell command on the stack using sprintf(). This is probably the most straightforward buffer overflow vulnerability you will ever see. Sadly, you shouldn’t exploit it. It is a tempting one to exploit because it is so clean and simple and because popping root with a MIPS ROP payload is sexy. But that would be silly, because right after it there is a call to system(). The system() function passes whatever string it is given to an invocation of /bin/sh. This is a command injection vulnerability in its purest form and is trivially exploitable. If the address string that gets passed in is something like “; evil_command; #”, the ping6 command will be terminated prematurely, and evil_command will be executed right after it,” Cutlip, a senior vulnerability researcher at Tactical Network Solutions, wrote in his explanation of the Netgear flaw.
Previously, Cutlip had discovered and published an explanation of another vulnerability in the same router, which allows an attacker to bypass the authentication feature on the router. Using that bug in conjunction with the command-injection vulnerability gives an attacker a potent method for owning and staying resident on the Netgear routers.
“If you browse to http://<router address>/BRS_02_genieHelp.html, you are allowed to bypass authentication for all pages in the entire administrative interface. But not only that, authentication remains disabled across reboots. And, of course if remote administration is turned on, this works from the frickin’ Internet,” Cutlip said in the explanation of the authentication bypass flaw.
The exploit that Cutlip wrote for the command-injection vulnerability takes advantage of the authentication issue as well and makes it quite simple for an attacker to go after vulnerable devices. He said that while there isn’t any patch available right now, the best mitigation for affected users is to disable remote administration on their routers.
“Remote administration is the primary attack surface we look at and find bugs in for SOHO routers. Also ensure that WPA2 encryption is enabled, and that untrusted devices aren’t allowed to connect to the LAN, either via wired or wireless,” Cutlip said via email.
Cutlip mentioned on Twitter that the vulnerabilities he found were also discovered independently by another researcher, Craig Young of Tripwire, who also found a serious flaw in Netgear’s ReadyNAS product.