An unpatched zero-day vulnerability exists in 79 Netgear router models that allow an attacker to take full control over vulnerable devices remotely.
Discovered independently by both Adam Nichols of cybersecurity firm Grimm and d4rkn3ss from Vietnam’s VNPT ISC (through Zero Day Initiative), the vulnerability lies in the HTTPD daemon used to manage the router.
According to the reports, the vulnerable router’s HTTPD daemon does not adequately check the length of data supplied by a user, allowing an attacker to create a buffer overflow when the data is copied to a fixed-length variable.
This flaw would allow an attacker to create a specially crafted string that would execute commands on the router without needing to authenticate first.
Nichols explains that stack cookies would typically mitigate this vulnerability, but many of the Netgear router products do not utilize them.
“In most modern software, this vulnerability would be unexploitable. Modern software typically contains stack cookies which would prevent exploitation. However, the R7000 does not use stack cookies. In fact, of all of the Netgear products which share a common codebase, only the D8500 firmware version 18.104.22.168 and the R6300v2 firmware versions 22.214.171.124-126.96.36.199 use stack cookies.”
As an example of how this exploit could be used, Nichols used the vulnerability to configure the telnet daemon on a vulnerable router to listen on port 8888 and not require a password.
While the HTTPD daemon is only accessible by default on the LAN, router admins can enable it, so it is accessible remotely from the Internet.
Once an attacker gains control over a vulnerable router, they can use it to launch attacks on internal computers found on the LAN.
It could also be used to configure port forwarding on the router so that devices on the internal network would be exposed on the Internet.
In ZDI’s disclosure, they state that they reported the vulnerability to Netgear on January 8th, 2020, and a disclosure date of June 15th, 2020, was agreed upon. After Netgear’s request for further time to resolve the bug was denied, both ZDI and Grimm publicly disclosed the vulnerability.
BleepingComputer has contacted Netgear to see when the vulnerabilities will be fixed but have not heard back at this time.
Affected router models
According to Nichols, 79 Netgear router models and 758 firmware images contain the vulnerable HTTPD daemon.
A list of these affected models and firmware can be found in Nichols’ PoC exploit.
Below are the 79 router models that are affected: