Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Remotely Exploitable 0-Day Impacts NETGEAR WNR2000 Routers

[Update] Vulnerabilities in NETGEAR WNR2000 routers allow an attacker to retrieve the administrator password and take full control of the affected networking device, a security researcher has discovered.

[Update] Vulnerabilities in NETGEAR WNR2000 routers allow an attacker to retrieve the administrator password and take full control of the affected networking device, a security researcher has discovered.

The vulnerabilities are exploitable over a local area network (LAN) by default, but security researcher Pedro Ribeiro explains that, if remote administration is enabled, they could be exploited remotely over the Internry as well. According to Ribeiro, around 10,000 vulnerable devices have been already identified, but these are only those with the remote admin enabled, meaning that tens of thousands of other routers could also be affected.

The security flaws were found in WNR2000v5, which doesn’t have remote administration enabled by default on the latest firmware, meaning that remote attacks would only be possible if a user had manually enabled remote admin access. Versions 3 and 4 of the router are believed to be vulnerable as well, although the researcher hasn’t tested them.

The issue is that NETGEAR WNR2000 allows an admin to perform various functions through an apparent CGI script named apply.cgi, which is actually a function invoked in the HTTP server (uhttpd) when the respective string is received in the URL. By reversing the uhttpd, the researcher discovered that it allows an unauthenticated user to perform the same sensitive admin functions by invoking apply_noauth.cgi.

Thus, an unauthenticated attacker can exploit some of the available functions immediately, such as rebooting the router. For access to other functions, such as changing Internet, WLAN settings or retrieving the administrative password, the attacker has to send a “timestamp” variable attached to the URL.

“This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token. The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge,” Ribeiro explains.

By exploiting this and an information leakage vulnerability in the router, the attacker can recover the administrator password and then use it to enable telnet functionality in the router and obtain a root shell, provided that the attacker is in the LAN.

Additionally, the security researcher found a stack buffer overflow which could allow an unauthenticated attacker to take full control over the device and execute code remotely. For that, however, the attacker would have to also leverage the apply_noauth.cgi vulnerability and the timestamp identifying attack. The code could be executed both in the LAN and in the WAN.

Advertisement. Scroll to continue reading.

According to Ribeiro, because NETGEAR didn’t respond to his emails, he decided to publish not only an advisory on the discovered issues, but also the exploit code that leverages said vulnerabilities, thus turning them into 0-days. No CVE has been assigned to the issues either.

Contacted by SecurityWeek, NETGEAR confirmed the password recovery and command execution issues in its WNR2000 routers and said a firmware update to patch the vulnerability will be released as quickly as possible.

“NETGEAR is aware of the reported security vulnerability related to WNR2000 router as stated by Pedro Ribeiro, including password recovery and command execution. This vulnerability occurs when an attacker can access the internal network or when Remote Management is enabled on the router,” the company said in an email.

“NETGEAR plans to release firmware updates that fix the remote access and command execution vulnerability for all affected products as quickly as possible,” the company said.

In the meantime, affected users can use a workaround, which involves turning off Remote Management. For that, they should access http://www.routerlogin.net from a computer that is part of the home network, should login with their admin credentials, then access Advanced > Remote Management, clear the check box for Turn Remote Management On, then click Apply to save the changes.

Earlier this month, NETGEAR R7000, R6400, and R8000 routers, and possibly other models, were revealed to be affected by a critical security vulnerability that could be remotely exploited to hijack the devices. By getting a user to visit a specially crafted web page, an attacker could execute arbitrary commands with root privileges on affected routers. The company detailed patching plans immediately after the flaw made it to the headlines.

Related: Netgear Routers Plagued by Serious Vulnerabilities

*Updated with response from NETGEAR

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.