In the http server used in Netgear SOHO routers, , which allows you to remotely execute your code without authentication with root rights and gain full control over the device. For an attack, it is enough to send a request to the network port on which the web interface is running. The problem is caused by not checking the size of external data before copying it to a fixed-size buffer. The vulnerability has been confirmed in various models of Netgear routers, the firmware of which uses the typical vulnerable httpd process.
Since when working with the stack in the firmware, protection mechanisms were not used, such as setting , managed to prepare a stable working , which runs a reverse shell on port 8888 with root access. The exploit is adapted to attack 758 Netgear firmware images found, but has been manually tested on 28 devices so far. In particular, the exploit was confirmed to work in various models:
- D6300
- DGN2200
- EX6100
- R6250
- R6400
- R7000
- R8300
- R8500
- WGR614
- WGT624
- WN3000RP
- WNDR3300
- WNDR3400
- WNDR4000
- WNDR4500
- WNR834B
- WNR1000
- WNR2000
- WNR3500
- WNR3500L
Updates to fix the vulnerability have not yet been released (0-day), so users are advised to block access to the HTTP port of the device for requests from untrusted systems. Netgear was made aware of the vulnerability on January 8, but by the 120-day agreed-upon disclosure deadline for the vulnerability, did not release a firmware update to fix the problem and requested an extension of the embargo. The researchers agreed to move the deadline to June 15, but at the end of May, Netgear representatives once again asked to move the deadline to the end of June, which was refused.
Source: opennet.ru