Vulnerabilities in NETGEAR WNR2000 routers allow an attacker to retrieve the administrator password and take full control of the affected networking device, a security researcher has discovered.
The vulnerabilities are exploitable over a local area network (LAN) by default, but security researcher Pedro Ribeiro explains that, if remote administration is enabled, they could be exploited remotely over the Internry as well. According to Ribeiro, around 10,000 vulnerable devices have been already identified, but these are only those with the remote admin enabled, meaning that tens of thousands of other routers could also be affected.
The security flaws were found in WNR2000v5, which doesn’t have remote administration enabled by default on the latest firmware, meaning that remote attacks would only be possible if a user had manually enabled remote admin access. Versions 3 and 4 of the router are believed to be vulnerable as well, although the researcher hasn’t tested them.
The issue is that NETGEAR WNR2000 allows an admin to perform various functions through an apparent CGI script named apply.cgi, which is actually a function invoked in the HTTP server (uhttpd) when the respective string is received in the URL. By reversing the uhttpd, the researcher discovered that it allows an unauthenticated user to perform the same sensitive admin functions by invoking apply_noauth.cgi.
Thus, an unauthenticated attacker can exploit some of the available functions immediately, such as rebooting the router. For access to other functions, such as changing Internet, WLAN settings or retrieving the administrative password, the attacker has to send a “timestamp” variable attached to the URL.
“This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token. The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge,” Ribeiro explains.
By exploiting this and an information leakage vulnerability in the router, the attacker can recover the administrator password and then use it to enable telnet functionality in the router and obtain a root shell, provided that the attacker is in the LAN.
Additionally, the security researcher found a stack buffer overflow which could allow an unauthenticated attacker to take full control over the device and execute code remotely. For that, however, the attacker would have to also leverage the apply_noauth.cgi vulnerability and the timestamp identifying attack. The code could be executed both in the LAN and in the WAN.
According to Ribeiro, because NETGEAR didn’t respond to his emails, he decided to publish not only an advisory on the discovered issues, but also the exploit code that leverages said vulnerabilities, thus turning them into 0-days. No CVE has been assigned to the issues either.
SecurityWeek emailed NETGEAR for a comment on this and for information on when the company plans to release patches for these issues, but hasn’t heard back as of now. We will update the article as soon as we receive a reply.
Earlier this month, NETGEAR R7000, R6400, and R8000 routers, and possibly other models, were revealed to be affected by a critical security vulnerability that could be remotely exploited to hijack the devices. By getting a user to visit a specially crafted web page, an attacker could execute arbitrary commands with root privileges on affected routers. The company detailed patching plans immediately after the flaw made it to the headlines.