Netgear Working to Patch Routers

Tuesday, December 27, 2016 @ 02:12 PM gHale

Netgear is working on a patch to mitigate vulnerabilities in its WNR2000 routers that could allow an attacker to find the administrator password and take full control of the affected networking device.

The vulnerabilities are exploitable over a local area network (LAN) by default, but if the user enables remote administration, an attacker could exploit it remotely, said security researcher Pedro Ribeiro.

RELATED STORIES
Nagios Core Monitoring Tool Patched
Netgear Fixing Vulnerable Routers
Router Flaw Leads to Hijacking
Router Backdoor Still Under Attack

At least 10,000 vulnerable devices have been already identified, but these are only those with the remote administration enabled, Ribeiro said in a post.

“There are likely tens of thousands of vulnerable routers in private LANs as this device is extremely popular,” Ribeiro said.

The security flaws were in WNR2000v5, which doesn’t have remote administration enabled by default on the latest firmware, meaning remote attacks would only be possible if a user had manually enabled remote admin access.

Other versions may be vulnerable, but Ribeiro has not tested them.

The issue is WNR2000 allows an admin to perform various functions through an apparent CGI script named apply.cgi, which is actually a function in the HTTP server (uhttpd) when the respective string is received in the URL. By reversing the uhttpd, the researcher discovered it allows an unauthenticated user to perform the same sensitive admin functions by invoking apply_noauth.cgi.

That means an unauthenticated attacker can exploit some of the available functions immediately, such as rebooting the router. For access to other functions the attacker has to send a “timestamp” variable attached to the URL.

By exploiting this and an information leakage vulnerability in the router, the attacker can recover the administrator password and then use it to enable telnet functionality in the router and obtain a root shell, provided that the attacker is in the LAN.

On top of that, Ribeiro found a stack buffer overflow which could allow an unauthenticated attacker to take full control over the device and execute code remotely.

Because Netgear did not respond to his emails, Ribeiro published an advisory and exploit code that leverages the vulnerabilities.

Netgear admitted the password recovery and command execution issues and said a firmware update to patch the vulnerability will come out soon.



Leave a Reply

You must be logged in to post a comment.