Trustwave SpiderLabs Security Advisory TWSL2018-002: Vulnerabilities in NETGEAR R8500 router firmware Published: 02/07/2018 Version: 1.0 Vendor: NETGEAR (www.netgear.com) Product: NETGEAR R8500 router (firmware) Version affected: 1.0.2.86_1.0.75, possibly earlier too Product description: NETGEAR R8500 router is a complex piece of hardware and software which provides functions such as remote management via web interface, USB storage support and many others. Finding 1: Accessing router's built-in webserver documents via the genie_restoring.cgi resource by unauthenticated users Nighthawk X8 as well as many other models ships with a built-in webserver used amoung other things for web management of the device. It is enabled by default to all LAN users (i.e. connected through WiFi using non-guest network or connected via a wire). If Remote Management is enabled (non-default setting) then web management is available to anyone on the Internet too. The built-in webserver exposes one specific resource (genie_restoring.cgi) which is available without prior authentication. The genie_restoring.cgi reads, processes as a template and returns to the caller any given file under the webserver document root. Many files under the document root are templates that contain references to sensetive information from NVRAM like router's administrator username and password for example. This makes it trivial to completely compromise the router using a sequence of steps outlined below. Suppose we are connected to the router via WiFi or a wired connection and the router's IP address is 192.168.1.1. Run the following command to get current CSRF token's value which is exposed in many places to unauthenticated users: curl http://192.168.1.1/MNU_top.htm | grep "id=" The output will look similar to:
Using the token from above build and run the final request: curl -d "id=304966648&next_file=MNU_accessPassword_recovered.htm" http://192.168.1.1/genie_restoring.cgi?id=304966648 Observe actual admin username and password for the web management displayed in the results. This works no matter if password recovery is enabled or not. There are many more templated pages under the webserver document root which can be retrieved using the same technique. Finding 2: Arbitrary file reading from router's filesystem via directory traversal in genie_restoring.cgi It turns out that in addition to reading webserver document root directory contents, the genie_restoring.cgi resource allows reading arbitrary files from the router's filesystem provided that the path is known beforehand. One example of this bug is reading of a file from USB stick attached to the router that is *password protected* in router's ReadySHARE settings: curl -d "id=304966648&next_file=cgi-bin/../../tmp/mnt/usb0/part1/README.txt" http://192.168.1.1/genie_restoring.cgi?id=304966648 For this attack to work, the next_file parameter must start with cgi-bin or some other valid entry under the webserver document root and then ../ can be used as desired. As Finding 1 says, all files will be preprocessed as templates before returned, so template placeholders (<%NUMBER%>) will be replaced with actual values if found. Finding 3: CSRF token is shared and available without authentication Usually CSRF tokens used to prevent CSRF are only available to authenticated users and are unique to the session. Nighthawk X8 web management however uses global CSRF ID which is reused all client and also is available to unauthenticated users via requests to various resources, for example: curl http://192.168.1.1/MNU_top.htm | grep "id=" This makes the token essentially useless for CSRF attack prevention. Remediation Steps: Please visit the NETGEAR link in the references section to see if your model router is affected and how to download patched firmware. Revision History: 03/16/17 - Vulnerability disclosed 08/18/17 - Patch released by vendor 02/07/18 - Advisory published References 1. https://kb.netgear.com/000045848/Security-Advisory-for-Password-Recovery-and-File-Access-on-Some-Routers-and-Modem-Routers-PSV-2017-0677 About Trustwave Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.