Skip to content

US-CERT’s top tip: Hack your crap Netgear router before miscreants arrive

14/12/2016

http://www.theregister.co.uk/2016/12/13/netgear_r7000_r6400_r8000_security/

Netgear says that the R6400, R7000, and R8000 series routers are all vulnerable to CVE-2016-582384, a command-injection bug that is trivial to exploit: you simply have to trick someone on the router’s local network into opening a booby-trapped webpage. We’re told R7500, R7800, R8500 and R9000 models are also at-risk.

An attacker could direct a victim to a malicious website that abuses the design flaw, or malware on the network could connect to the vulnerable box and exploit the vulnerability directly. The end result is countless routers potentially being silently meddled with or infected and hijacked.

Due to a major bug in the way the routers’ builtin HTTP server parses requests, you can inject commands into a box by fetching the following URL:

http:///cgi-bin/;COMMAND

The web server code executes the given command string effectively as the root user; the underlying operating system is BusyBox Linux. So, for example, if one of the affected models is usually on the local IP address 192.168.0.1, then the following HTML embedded in a webpage will force a reboot when someone on the LAN visits that page – effectively creating a denial-of-service:


US-CERT says an exploit targeting the flaw has already been publicly disclosed. The security team’s advisory explains:

Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.12_1.0.11 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted website, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers.

“Exploiting this vulnerability is trivial,” the security bods caution. “Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.”

Administrators, meanwhile, are less than thrilled with Netgear for its security miscue.

Security researcher Acew0rm was credited with discovering and disclosing the flaw over the weekend, as well as developing the proof-of-concept exploit. We’re told Ace warned Netgear about this issue months ago but seemingly nothing was done about it.

While Netgear says it is still working on a firmware fix for the flaw, US-CERT says the hole can be closed by disabling the router’s web server feature with the following URL:

http:///cgi-bin/;killall$IFS'httpd'

That request, which exploits the vulnerability itself, disables the builtin HTTP server that is used to administer the device. In other words, customers are being urged to lightly hack their own boxes before an attacker can exploit it for nefarious ends.

US-CERT notes that after executing the command, users will be unable to manage or control the router via the HTTP server until the box is rebooted or power cycled. A software fix is needed from Netgear to permanently squash the bug.

**Comment

On a personal note, I hugely dislike the word miscreants, to the point that I discount any article that includes it. I has such a tone, of arrogance, that it makes me annoyed the second it’s included.

Advertisements
Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: