[Update] Vulnerabilities in NETGEAR WNR2000 routers allow an attacker to retrieve the administrator password and take full control of the affected networking device, a security researcher has discovered.
The vulnerabilities are exploitable over a local area network (LAN) by default, but security researcher Pedro Ribeiro explains that, if remote administration is enabled, they could be exploited remotely over the Internry as well. According to Ribeiro, around 10,000 vulnerable devices have been already identified, but these are only those with the remote admin enabled, meaning that tens of thousands of other routers could also be affected.
The security flaws were found in WNR2000v5, which doesn’t have remote administration enabled by default on the latest firmware, meaning that remote attacks would only be possible if a user had manually enabled remote admin access. Versions 3 and 4 of the router are believed to be vulnerable as well, although the researcher hasn’t tested them.
The issue is that NETGEAR WNR2000 allows an admin to perform various functions through an apparent CGI script named apply.cgi, which is actually a function invoked in the HTTP server (uhttpd) when the respective string is received in the URL. By reversing the uhttpd, the researcher discovered that it allows an unauthenticated user to perform the same sensitive admin functions by invoking apply_noauth.cgi.
Thus, an unauthenticated attacker can exploit some of the available functions immediately, such as rebooting the router. For access to other functions, such as changing Internet, WLAN settings or retrieving the administrative password, the attacker has to send a “timestamp” variable attached to the URL.
“This timestamp is generated every time the target page is accessed and functions as a sort of anti-CSRF token. The timestamp generating function was reverse engineered and due to incorrect use of random number generation (details below) it is possible to identify the token in less than 1000 attempts with no other previous knowledge,” Ribeiro explains.
By exploiting this and an information leakage vulnerability in the router, the attacker can recover the administrator password and then use it to enable telnet functionality in the router and obtain a root shell, provided that the attacker is in the LAN.
Additionally, the security researcher found a stack buffer overflow which could allow an unauthenticated attacker to take full control over the device and execute code remotely. For that, however, the attacker would have to also leverage the apply_noauth.cgi vulnerability and the timestamp identifying attack. The code could be executed both in the LAN and in the WAN.
According to Ribeiro, because NETGEAR didn’t respond to his emails, he decided to publish not only an advisory on the discovered issues, but also the exploit code that leverages said vulnerabilities, thus turning them into 0-days. No CVE has been assigned to the issues either.
Contacted by SecurityWeek, NETGEAR confirmed the password recovery and command execution issues in its WNR2000 routers and said a firmware update to patch the vulnerability will be released as quickly as possible.
“NETGEAR is aware of the reported security vulnerability related to WNR2000 router as stated by Pedro Ribeiro, including password recovery and command execution. This vulnerability occurs when an attacker can access the internal network or when Remote Management is enabled on the router,” the company said in an email.
“NETGEAR plans to release firmware updates that fix the remote access and command execution vulnerability for all affected products as quickly as possible,” the company said.
In the meantime, affected users can use a workaround, which involves turning off Remote Management. For that, they should access http://www.routerlogin.net from a computer that is part of the home network, should login with their admin credentials, then access Advanced > Remote Management, clear the check box for Turn Remote Management On, then click Apply to save the changes.
Earlier this month, NETGEAR R7000, R6400, and R8000 routers, and possibly other models, were revealed to be affected by a critical security vulnerability that could be remotely exploited to hijack the devices. By getting a user to visit a specially crafted web page, an attacker could execute arbitrary commands with root privileges on affected routers. The company detailed patching plans immediately after the flaw made it to the headlines.
*Updated with response from NETGEAR