79 Netgear router models risk full takeover due to unpatched bug

Netgear

​An unpatched zero-day vulnerability exists in 79 Netgear router models that allow an attacker to take full control over vulnerable devices remotely.

Discovered independently by both Adam Nichols of cybersecurity firm Grimm and d4rkn3ss from Vietnam’s VNPT ISC (through Zero Day Initiative), the vulnerability lies in the HTTPD daemon used to manage the router.

While ZDI’s report includes brief information about the vulnerability, Nichols has released a detailed explanation of the vulnerability, a PoC exploit, and scripts to find vulnerable routers.

According to the reports, the vulnerable router’s HTTPD daemon does not adequately check the length of data supplied by a user, allowing an attacker to create a buffer overflow when the data is copied to a fixed-length variable.

This flaw would allow an attacker to create a specially crafted string that would execute commands on the router without needing to authenticate first.

Nichols explains that stack cookies would typically mitigate this vulnerability, but many of the Netgear router products do not utilize them.

“In most modern software, this vulnerability would be unexploitable. Modern software typically contains stack cookies which would prevent exploitation. However, the R7000 does not use stack cookies. In fact, of all of the Netgear products which share a common codebase, only the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20 use stack cookies.”

As an example of how this exploit could be used, Nichols used the vulnerability to configure the telnet daemon on a vulnerable router to listen on port 8888 and not require a password.

Enable Telnet without a password
Enable Telnet without a password

While the HTTPD daemon is only accessible by default on the LAN, router admins can enable it, so it is accessible remotely from the Internet.

Even if not accessible via the Internet, attackers can create malicious websites containing JavaScript that perform DNS rebinding attacks to execute commands on the internal network remotely.

Once an attacker gains control over a vulnerable router, they can use it to launch attacks on internal computers found on the LAN.

It could also be used to configure port forwarding on the router so that devices on the internal network would be exposed on the Internet.

In ZDI’s disclosure, they state that they reported the vulnerability to Netgear on January 8th, 2020, and a disclosure date of June 15th, 2020, was agreed upon. After Netgear’s request for further time to resolve the bug was denied, both ZDI and Grimm publicly disclosed the vulnerability.

BleepingComputer has contacted Netgear to see when the vulnerabilities will be fixed but have not heard back at this time.

Affected router models

According to Nichols, 79 Netgear router models and 758 firmware images contain the vulnerable HTTPD daemon.

A list of these affected models and firmware can be found in Nichols’ PoC exploit.

Below are the 79 router models that are affected:

AC1450 MBR1516 WGR614v9
D6220 MBRN3000 WGR614v10
D6300 MVBR1210C WGT624v4
D6400 R4500 WN2500RP
D7000v2 R6200 WN2500RPv2
D8500 R6200v2 WN3000RP
DC112A R6250 WN3100RP
DGN2200 R6300 WN3500RP
DGN2200v4 R6300v2 WNCE3001
DGN2200M R6400 WNDR3300
DGND3700 R6400v2 WNDR3300v2
EX3700 R6700 WNDR3400
EX3800 R6700v3 WNDR3400v2
EX3920 R6900 WNDR3400v3
EX6000 R6900P WNDR3700v3
EX6100 R7000 WNDR4000
EX6120 R7000P WNDR4500
EX6130 R7100LG WNDR4500v2
EX6150 R7300 WNR834Bv2
EX6200 R7850 WNR1000v3
EX6920 R7900 WNR2000v2
EX7000 R8000 WNR3500
LG2200D R8300 WNR3500v2
MBM621 R8500 WNR3500L
MBR624GU RS400 WNR3500Lv2
MBR1200 WGR614v8 XR300
MBR1515