A vulnerability has been identified in Netgear devices that allows, without authentication, to achieve the execution of its code with root rights through manipulations in the external network on the side of the WAN interface. The vulnerability has been confirmed in the R6900P, R7000P, R7960P and R8000P wireless routers, as well as in network devices for deploying mesh networks MR60 and MS60. Netgear has already released a firmware update to fix the vulnerability.
The vulnerability is caused by a stack overflow in the background process aws_json (/tmp/media/nand/router-analytics/aws_json) while parsing JSON data received after sending a request to an external web service (https://devicelocation.ngxcld.com/device -location/resolve) used to determine the location of the device. To carry out an attack, you need to place a specially designed JSON file on your web server and get the router to load this file, for example, through DNS spoofing or request redirection on the transit node (you need to intercept the request to the devicelocation.ngxcld.com host, which is carried out when the device starts ). The request is sent via the HTTPS protocol, but without verifying the validity of the certificate (when downloading, the curl utility is used with the "-k" option).
On the practical side, the vulnerability can be used to compromise the device, for example, embedding a backdoor for subsequent control over the internal network of the enterprise. For an attack, it is necessary to gain short-term access to the Netgear router or to the network cable / equipment on the side of the WAN interface (for example, the attack can be carried out by an ISP or an attacker who gained access to a communication shield). As a demonstration, researchers prepared a prototype attack device based on the Raspberry Pi board, which allows you to get a root shell when you connect the WAN interface of a vulnerable router to the ethernet port of the board.
Source: opennet.ru