Zero Day Flaw Found in Netgear Routers
Researchers discovered an un-patched, zero-day vulnerability in firmware for Netgear routers that put almost 80 router models at risk for full takeover. An un-patched vulnerability in the web server of device firmware gives attackers root privileges.
A memory-safety issue present in the firmware’s httpd web server, allows Hackers to bypass authentication on affected Netgear routers. The flaw exists in the httpd service, which listens on TCP Port 80 by default. The issue results from the lack of proper validation of the length of user supplied data prior to copying it to a fixed-length, stack-based buffer.
Authentication is not required to exploit the vulnerability, which hackers can use to gain root privileges. Netgear was informed of the vulnerability in January had asked for an extension until the end of June for public disclosure, which was declined. Adam Nichols of cybersecurity firm Grimm initially discovered the flaw in the Netgear R7000 router series, but eventually identified 79 different Netgear devices and 758 firmware images that included a vulnerable copy of the web server. This vulnerability affects firmware as early as 2007.
Nichols stated that the problem lies in the lack of support for stack cookies which are used to detect a stack buffer overflow before execution of malicious code can occur. While some Netgear routers support this feature, such as the D8500 firmware version 1.0.3.29 and the R6300v2 firmware versions 1.0.4.12-1.0.4.20, most others do not.
The zero day vulnerability can be exploited in two ways. One way to is to exploit the recv function used in the http parser in the web server through a series of steps that eventually lead to a stack-buffer overflow. Hackers can also use a cross-site request forgery attack to exploit the vulnerability, though they need to know the model and version of the router they're targeting. If a user with a vulnerable router browses to a malicious website, that website could exploit the user's router by serving an HTML page which sends an AJAX request containing the exploit to the target device.
One mitigation for the vulnerability is to restrict interaction with the service to trusted machines. Only the clients and servers that have a legitimate procedural relationship with the service should be permitted to communicate with it. Netgear has also issued several fixes here.