NetGear lot of router remote command injection vulnerability analysis(Update Patch analysis)-vulnerability warning-the black bar safety net

2016-12-15T00:00:00
ID MYHACK58:62201682111
Type myhack58
Reporter 佚名
Modified 2016-12-15T00:00:00

Description

0x01 introduction Two days before the NTP just doing the complete thing, the NetGear router(NETGEAR router)and to engage in things of T. T. The current CERT in the last week, five have issued a notice,“if the user comes to the router, it is recommended to stop use until the official release of the patch repair.” This vulnerability is by Acew0rm found, after reported to NetGear, today, he went on Twitter and posted about this exploit in the video. At the same time also released a Trojan address, there are two, one is embedded in the html of use, and the other is the more direct use, of course, you need to get the router's IP address. https://github.com/Acew0rm/Exploits/blob/master/Netgear_R7000.html https://www.exploit-db.com/exploits/40889/ But in fact, this vulnerability affects the routing version, far more than now exposure of so little, the current exposure is R6400, the R7000 version, and later the CERT and the exposure of the R8000 version. I have seen this vulnerability publicly after following a lot using the NetGear routing of foreigners in the chat, which summarizes the bit affected by the vulnerabilities version the routing. l R6400 (AC1750): confirmed l R7000 Nighthawk (AC1900, AC2300): confirmed (by myself) l R7500 Nighthawk X4 (AC2350): confirmed (by [2]) l R7800 Nighthawk X4S(AC2600): confirmed (by [2]) l R8000 Nighthawk (AC3200): confirmed l R8500 Nighthawk X8 (AC5300): confirmed (by [2]) l R9000 Nighthawk X10 (AD7200): confirmed (by [2]) l R6250 l R6700 Almost all R-series routes are affected by this vulnerability, of course, there are some R-series routing although affected, but because the firmware is different, part of the firmware is not affected by this vulnerability. Currently this vulnerability does not provide patches, official on Twitter, the reply is to hurry to fix this vulnerability, so it should be there are many devices affected by the vulnerability. Start the analysis before, thanks Spongebobb on Twitter and my discussion, let me from the inexplicable brain-hole to jump out of 23333. 0x02 detection methods Browser to access the router address:

http://[router-address]/cgi-bin/;uname$IFS-a If the returned page is an error or a non-empty, then the router may be the existence of this vulnerability. 0x03 in order to analyze the I fell for the pit In yesterday to see this vulnerability after exposure, I downloaded the corresponding version of the firmware【_R7000-V1. 0. 7. 2_1. 1. 93. chk], the analysis of the process of course ran into a lot of pits, here a little summarize. On this vulnerability, the main problem occurs in the/usr/sbin/httpd, but in the/www/cgi-bin/is also an executable file genie. cgi, which also fulfilled a CGI program of some of the features, just to start I'm a firm believe in the genie. cgi, also found a more interesting calling position. v6 = getenv("QUERY_STRING"); ptr = (void *)sub_A304(dword_1385C); if ( ptr ) { v0 = sub_9560((int)v6); if ( v0 != -1 ) { sub_9C78(v0); v4 = 0; sub_ABAC(0xB348, &v4, &v3); } } Here call getenv to obtain the QUERY_STRING environment variable, this variable is through the GET method receives the URL parameters, acquisition parameters, and to the QUERY_STRING assignment, this setenv assignment process is in the httpd, genie. cgi is only responsible for getenv。 And then here call a function sub_ABAC, talk into this function I found in this program only once a call to the system function of the position. . text:0000ABAC STMFD SP!, {R11,LR} . text:0000ABB0 ADD R11, SP, #4 . text:0000ABB4 SUB SP, SP, #0x420 . text:0000ABB8 STR R0, [R11,#command] . text:0000ABBC STR R1, [R11,#var_414] . text:0000ABC0 STR R2, [R11,#var_418] . text:0000ABC4 LDR R0, [R11,#command] ; command . text:0000ABC8 MOV R1, #aR_0 ; modes . text:0000ABD0 BL popen popen can execute the system function, it is in line with our exp in the conditions but the lost is found, here the value passed is sub_ABAC function of the first parameter, which is 0xB348, which is a constant.

. rodata:0000B348 aInternetSetCon DCB "internet set connection genieremote 1",0 Just started my brain hole a little big, thought that is similar to the php variable coverage, will not be the URL of the incoming value, due to some reasons will override this constant, and later still, rejected this process, and helpless when I thought of the contrast there is no vulnerability in the version which later it turns out that my analysis of the so-called no holes version, but also has this vulnerability, a comparison of the time to find R7000 later route version take https, when looking at the configuration file when stumbled R7000 in/usr/sbin/httpd to.

[1] [2] [3] [4] [5] [6] [7] [8] [9] next