Full Report
Pwn2Own is a competition focused on finding vulnerabilities in high value targets. In this rendition of Pwn2Own for IoT devices, they choose the Netgear Router RAX30. Pwn2Own has many tough issues: Bugs must be in the most recent version of the firmware. Although this seems obvious, this means a patch the day before may change the exploit pattern. You can only enter once per device and duplicates don't get payouts. This means that an awesome bug may have been found by somebody else. While looking at the binaries, puhttpsniff caught their eye. Using the strings command shows some HTTP parsing, which is always interesting. The binary inserts NFLOG iptable rules to run callbacks. While reviewing the command, there is a super trivial command injection vulnerability when constructing IP tables with the User Agent header. The exploit payload is curl --user-agent "a\";/sbin/reboot;\"" http://192.168.1.1. This was on the LAN side. With access to the devices while running via the previous bug, they started hunting for more. By listing socket information, they learned that SSH and telnet are open for IPv4 and IPv6 on the LAN. When running nmap on the device from the WAN on IPv4 (default), nothing comes up though. However, from our learnings from earlier, the device is listening on IPv6 as well. This is because the the IP table rules for IPv6 are only applied to the LAN interface and the WAN if a public IPv6 address is provided. If a link-local address is used on the WAN interface (same network segment), all of the services are accessible. Pretty neat bug! With a bypass for accessing restricted services, what else can we do? /etc/shadow has a hardcoded password that was easily cracked via John the Ripper. Now, the telnet port can be used to connect. Additionally, the telnet prompt had hardcoded commands but had a special bad door sh to escape this. The full steps for the second chain are as follows: Ping the address of the WAN interface. This can be used to find the link-local address of the device. I don't fully understand IPv6 networking so I'm pretty much copying and pasting here. Launch telnet with the cracked credentials. sh command to escape the shell. Since the user with the cracked password has uid 0, we are now root. This was a very novel vulnerability in the routing tables; I will definitely keep this in mind for future assessments. Sadly, both the networking bug and command injection were fixed a few days before the event. So so so sad. Regardless, amazing findings!
Analysis Summary
# Vulnerability: Command Injection in Netgear RAX30 via User-Agent Header (LAN Side) and IPv6 Firewall Bypass Leading to Root Access
## CVE Details
- CVE ID: Not explicitly provided in the text.
- CVSS Score: Not explicitly provided in the text.
- CWE: CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
## Affected Systems
- Products: Netgear Router RAX30
- Versions: Firmware version `1.0.7.78` (and potentially earlier versions prior to the patch).
- Configurations: Accessible from the Local Area Network (LAN) side.
## Vulnerability Description
Two primary vulnerabilities were chained together for a full remote root compromise:
1. **Command Injection (LAN):** The binary `puhttpsniff` processes the HTTP `User-Agent` header when serving content on port 80 via the `br0` interface. An insecure use of `sprintf` constructs a system command using user-supplied input (`user_agent_string`) which allows for shell command injection.
*Example Payload:* `curl --user-agent "a\";/sbin/reboot;\"" http://192.168.1.1`
2. **IPv6 Firewall Bypass:** After obtaining a shell via the command injection bug, the researchers discovered that SSH and Telnet services were open on both IPv4 and IPv6 interfaces on the LAN. While IPv4 access from the WAN was blocked by `nmap`, services were reachable via IPv6 link-local addresses from the WAN side. This is because the `ip6tables` rules restricting external access were only applied to the LAN interface (`br0`) or if the WAN interface had a public IPv6 address, not when using a link-local address.
3. **Privilege Escalation (Local):** A hardcoded password was found in `/etc/shadow`, which was easily cracked. The resulting user (UID 0, root) could log in via Telnet (escaped from hardcoded commands via `sh`) to gain root access.
## Exploitation
- Status: Proof-of-Concept (PoC) available (implied by the clear exploit steps and payload provided).
- Complexity: Low (Trivial command injection, easily cracked password, simple network bypass).
- Attack Vector: Adjacent (LAN side for initial injection; effectively WAN/Internet due to IPv6 link-local exposure if on the same subnet segment).
## Impact
- Confidentiality: High (Full root access allows reading sensitive files like `/etc/shadow` and potentially all network traffic).
- Integrity: High (Complete control over the device allows firmware modification and reconfiguration).
- Availability: High (The initial injection can cause a Denial of Service via reboot; root access allows for permanent device disruption).
## Remediation
### Patches
- The vendor released updates fixing these flaws prior to the Pwn2Own event. The article advises updating the router to **version `1.0.9.90`** or later.
### Workarounds
- None explicitly listed, as the vulnerabilities were patched just before the contest. Generally, for the second bug, restricting or strictly configuring IPv6 firewall rules on the WAN interface to apply universally (even for link-local addresses) would be the conceptual fix.
## Detection
- **Indicators of Compromise (IOCs):**
* Outbound network connections initiated by processes associated with HTTP parsing (`puhttpsniff` or related services).
* Execution of system commands (like `/sbin/reboot`) originating from network request handlers processing HTTP headers.
* Unusual activity on Telnet (port 23) or SSH (port 22) originating from the WAN side, particularly using link-local addressing formats (`fe80::...`).
* Evidence of the hardcoded password being cracked or used successfully in authentication logs.
- **Detection Methods and Tools:**
* Monitoring `iptables` modifications (look for new `NFLOG` rules being inserted).
* Deep packet inspection (DPI) on HTTP traffic targeting port 80 for unexpected characters or command delimiters in the `User-Agent` header.
* Regular vulnerability scanning specifically testing IPv6 services exposed on the WAN interface, even if IPv4 scans show closed ports.
## References
- Vendor advisories: Check Netgear security advisories related to RAX30 firmware updates around late 2022. (Specific advisory link not provided).
- Relevant links - defanged: `hXXps://www.synacktiv.com/en/publications/cool-vulns-dont-live-long-netgear-and-pwn2own`