Netgear httpd upgrade_check.cgi stack buffer overflow

DESCRIPTION

Almost all of the Netgear devices now contains web interface for easy management. It becomes easy for the home administrator to configure and manage the device efficiently. Moreover, WiFi routers from this company is widely used Bangladesh.

To do this httpd service has been used and it fails to validate the he header size provided to the upgrade_check.cgi handler. Despite copying the header to a fixed-size buffer on the stack, the vulnerable code copies an attacker-provided count of bytes from attacker-provided data. This allows for remote code execution by way of stack buffer overflow. This vulnerability is exacerbated by a number of issues:

1. The httpd process runs with root privileges.

2. Stack cookies, which can help prevent exploitation of stack buffer overflows, are not universally used in Netgear devices

3. Authentication is not required to reach the vulnerable code.

4. The vulnerability occurs before Cross-Site Request Forgery (CSRF) token checking occurs.

5. Target device fingerprinting can occur by visiting the /currentsetting.htm page on an affected device.

IMPACT

By convincing a user to visit a malicious or compromised website, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable device with root privileges.

SYSTEM AFFECTED AC1450, D6220, D6300, D6400, D7000v2, D8500, DC112A, DGN2200v1, DGN2200M, DGN2200v etc. (Please go to Netgear’s website for full list)

RECOMMENDATIONS

The following actions are recommended:

Netgear has provided updates for several vulnerable devices. Note that Netgear does not indicate when devices have reached an end of life (EOL) state. This may be difficult to determine if a vulnerable device may receive an update in the future.

Factors like the vendor’s support life span should be taken into considering when purchasing. Vendors that indicate how long products will be supported should be preferred over those that do not clearly indicate how long a device will be supported. Similarly, vendors that clearly indicate when a product has reached EOL state should be preferred over vendors that do not.

REFERENCES

• https://kb.netgear.com/000061982/Security-Advisory-for-Multiple-Vulnerabilities-on-Some-Routers-Mobile-Routers-Modems-Gateways-and-Extenders
• https://www.zerodayinitiative.com/advisories/ZDI-20-712/
• https://blog.grimm-co.com/2020/06/soho-device-exploitation.html
• https://github.com/grimm-co/NotQuite0DayFriday/tree/master/2020.06.15-netgear
• https://docs.google.com/spreadsheets/d/1Tzq97rRisoZwKNQ1pUYE6phwl4LL7KnZxc828n-hXW0/