>> Stack buffer overflow vulnerability in NETGEAR WNR2000 router >> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security ========================================================================== Disclosure: 20/12/2016 / Last updated: 30/12/2018 >> Background on the affected products: "Wirelessly connect all of your computers and mobile devices. N300 WiFi speed lets you simultaneously download, stream music and video, and game online. NETGEAR genieĀ® makes it easy to setup and monitor your network. Parental controls keep your Internet experience safe and secure." >> Summary: The NETGEAR WNR2000 allows an administrator to perform a number of sensitive functions in the web interface through an apparent CGI script named apply.cgi. This script is invoked when changing Internet settings, WLAN settings, restore to factory defaults, reboot the router, etc. However apply.cgi is not really a script, but a function that is invoked in the HTTP server (uhttpd) when it receives that string in the URL. When reverse engineering uhttpd, it was found that it also allows an unauthenticated user to perform the same sensitive admin functions if apply_noauth.cgi is invoked instead. Sensitive functions, such as rebooting the router, changing Internet, WLAN settings or retrieving the administrative password, require the attacker to send a "timestamp" variable attached to the URL. This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token. The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge. By combining this knowledge with an information leakage, it is possible to recover the administrator password. This password is then used to enable telnet functionality in the router and obtain a root shell if the attacker is in the LAN. Finally, a stack buffer overflow was also discovered, which combined with the apply_noauth.cgi vulnerability and the timestamp identification attack allows an unauthenticated attacker to take full control of the device and execute code remotely in the LAN and in the WAN. It should be noted that the WNR2000v5 does not have remote administration enabled by default on the latest firmware, and unless the administrator enables it, these attacks are only possible in the LAN. Only the WNR2000v5 device was tested, but versions 3 and 4 of this router should also be vulnerable as confirmed by static analysis. At the time of the initial disclosure, there are over 10.000 vulnerable routers with remote management enabled appearing in a Shodan search. Exploit code was initially released with this advisory, but it was of "alpha" quality and it has since been deleted. Two exploit modules have now been released and integrated in the Metasploit framework, one of which obtains the admin password by abusing the password recovery function (auxiliary/admin/http/netgear_wnr2000_pass_recovery) while the other exploits the buffer overflow vulnerability to achieve unauthenticated remote code execution as root (exploit/linux/http/netgear_wnr2000_rce). See [1] for cached copies of these modules in Agile InfoSec's repo, or use them directly from a recent Metasploit version. >> Update / Correction (02/01/2017): Upon further investigation, it turns out that the initial assumption that it was possible to perform some actions without knowing the timestamp (such as rebooting the router) was incorrect. Actually any action can be performed without knowledge of the timestamp as long as the target page has never been accessed. If at some point, the target page was accessed, the timestamp variable will be set. This advisory was been corrected to reflect these findings. NETGEAR has recognised the flaw and released beta firmware for the affected routers, which can be obtained in [7]. NETGEAR has also indicated that the password recovery attack can only be done if the password recovery questions were never set by the user before, but according to Agile Information Security tests, this is not the case, and the password is still recoverable even if the password recovery questions were previously set. >> Technical details: #1 Vulnerability: Information leakage CVE-2016-10175 Attack Vector: Remote Constraints: Can be exploited by an unauthenticated attacker. See below for other constraints. Affected versions: - WNR2000v5, all firmware versions (confirmed in hardware) - WNR2000v4, all firmware versions possibly affected (confirmed only by static analysis) - WNR2000v3, all firmware versions possibly affected (confirmed only by static analysis) The device leaks its serial number when performing a request to http:///BRS_netgear_success.html: HTTP/1.0 200 OK Server: uhttpd/1.0.0 Date: Thu, 01 Jan 1970 00:11:42 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html; charset="UTF-8" Connection: close