NetGear router through command injection to obtain ROOT privileges[EXP]-vulnerability warning-the black bar safety net

2013-11-06T00:00:00
ID MYHACK58:62201341135
Type myhack58
Reporter 佚名
Modified 2013-11-06T00:00:00

Description

! NetGear router through command injection to obtain ROOT privileges[EXP] - ScriptALeRT - Minghacker

Abroad a large cattle study found that the NetGear router wndr3700v4 firmware authenticate the existence of the vulnerability. Once the Web interface authentication bypass, and follow-up can be done things will be a lot.

NetGear wndr3700v4 firmware there is an executable script net-cgi, and this functions much like a busy-box. So there are a lot of places you can study, here we compare the interest is cmd_ping6() this module.

! NetGear router through command injection to obtain ROOT privileges[EXP] - ScriptALeRT - Minghacker

This function uses char *host function to work, the main function is by machine name or IPv6 to carry out the ping operation. This is a very common function, but this firmware is inside, it uses sprintf()this function, which will be the string copied to the shell command to execute, and this is one of the most simple buffer overflow vulnerabilities,in the end he will be the contents of the input passed to system()this function is to execute.

What if the user does not use IPv6? It's okay, as long as the command is system()implemented, the tube which the ping command is successful implementation of dry hair?

Look back, this loophole is how to produce.

! NetGear router through command injection to obtain ROOT privileges[EXP] - ScriptALeRT - Minghacker

cmd_ping6()by cgi_commit()call, cgi_commit()by sub_4052d0()call.

Page execution time, is used ping6_traceroute6_hidden_info. htm this page.

! NetGear router through command injection to obtain ROOT privileges[EXP] - ScriptALeRT - Minghacker

We try to perform some little command to test it:

! NetGear router through command injection to obtain ROOT privileges[EXP] - ScriptALeRT - Minghacker

Although it is a small test, but the effect is immediate, even if it is remote, you can easily know whether the command executed successfully.

! NetGear router through command injection to obtain ROOT privileges[EXP] - ScriptALeRT - Minghacker

With this vulnerability, a large foreign cattle using Python to write out a EXP, this EXP is mainly perform the following functions:

  1. By fingerprint recognition, to verify the presence of vulnerabilities.
  2. The device Web authentication is disabled.
  3. Via the command injection, set up iptables, open the telnet, external network open 2 3 2 3 port and listening.
  4. Re-enable Web authentication, to restore its original state.

! NetGear router through command injection to obtain ROOT privileges[EXP] - ScriptALeRT - Minghacker

Download EXP: the

Github <https://github.com/zcutlip/exploit-poc/blob/master/netgear/wndr3700v4/ping6_cmd_injection/ping6_inject.py>

Run the EXP need to install the Bowcaster is.

<https://github.com/zcutlip/bowcaster>

United States network company-NETGEAR Inc. (NETGEAR in 1 9 9 6 year 1 on the creation, long-term commitment to small and medium-sized enterprise users and SOHO users to provide easy-to-use and with powerful features of integrated network solutions. Headquartered in Silicon Valley, California Santa Clara, with operations in many countries and regions, is the U.S. high-tech companies for the eighth consecutive year the fastest growing 5 0 home one, and in 2 0 0 3 year as the only computer network company in the U.S. Nasdaq stock exchange successful market Ticker: NTGR of.

via Shadow-File