
Netgear 0-day vulnerability analysis and exploit - geeklord
https://blog.grimm-co.com/2020/06/soho-device-exploitation.html?m=1
======
Sodman
The worst part is this isn't even just going to affect folks that would never
think to update their router firmware. The firmware they _do_ push out is
frequently a massive downgrade.

About a year ago, I tried to update the firmware on my Netgear router. It was
the exact model from the article, the R7000. I assumed "new update" for router
firmware would involve some critical security updates, and maybe some
stability fixes, but it basically rendered the router unusable. It would crash
every few hours with normal usage. I googled around and turns out it was a
known issue, the only recommended fix was "roll back to version x.x.x (2
versions prior). I found this fix months after it had been posted, and there
had still been no new patch released to fix the issue.

When my relatives call me to fix their wifi, I now have to think twice about
updating the firmware. These days I recommend the google wifi mesh router(s),
because they just involve the least maintenance effort. They have less fine-
tune controls and the wifi speed is slightly slower when you start approaching
gigabit speeds (vs other high-end consumer routers), but it's definitely worth
the trade off for me. Plus, anyone calling me to help with their wifi won't
notice either of those things :)

~~~
jeffbee
The best thing about setting up Google wifi routers for your relatives is you
can set yourself up as the manager of them, and manage them with the Google
Wifi app from anywhere. So before Uncle Bob calls you about the wifi you'd
already have got the notification that his cable service is down again.

~~~
antsar
Sorry to be "that guy", but how about not giving an advertisement company
access to all your network traffic (while _paying them_ for the privilege)...

Almost every router supports some form of remote management (or just put
TeamViewer on their machine). Most also support dynamic DNS so you can set up
a ping check for the "its down" notification.

~~~
Sodman
The fact that I've paid them for the hardware gives me more confidence that _I
'm_ not the product. Ironically, the fact that I can get TeamViewer for free
and use it to get remote access others' computers makes it feel like a higher
threat attack vector for me.

Before I bought the Google mesh wifi, I already had android, chrome, project
Fi, and Google's DNS (router level) at various levels of my request stack.
That's not even counting search, gmail, and calendar. If Google are playing
shady games with my network traffic, whatever marginal gain they get from
having software on my router is negligible. Especially compared to the awful
PR backlash they'd get once somebody hooks some monitoring gear up to their
hardware and exposes it.

~~~
antsar
> the fact that I can get TeamViewer for free and use it to get remote access
> others' computers makes it feel like a higher threat attack vector for me.

I agree. I gave that example because I personally use it, but would prefer to
move to a self-hosted or inexpensive paid solution. I've always assumed the
free version has sufficient business value as a lead-generator for the
enterprise version, but there's no reason to assume they don't _also_ monetize
usage data.

> I already had android, chrome, project Fi, and Google's DNS ... whatever
> marginal gain they get from having software on my router is negligible.

That's a totally fair way of looking at it, and I'd probably use Google Wifi
with little hesitation if I were you. But this isn't the case for everyone.
IMHO tech folks need to be mindful of privacy implications when recommending
tech to non-tech folks, because we have the benefit of understanding those
implications. FWIW, my immediate family would be displeased if I installed a
Google router for them and they later figured out Google's conflict of
interest for themselves.

------
0fcf8d3559a64c
I am sick of having to assume my network hardware is trivially compromised.

What will it take for me to be able to purchase a microkernel driven
router/access-point with audited drivers (or Rust based)? I would settle for
mediocre performance (ie no gigabit) if I could have some strong security
guarantees.

Can I setup Redox or seL4 as home network hardware at this point? Or would the
pain threshold still be quite high?

~~~
dehrmann
> I am sick of having to assume my network hardware is trivially compromised.

I don't have the gateway my ISP gave me on my LAN for this reason. I do have
to laugh a little bit about people who use a VPN to hide requests (DNS?
Because most of the web is HTTPS, now) from their ISP when _their ISP has a
device on their network_.

~~~
WorldMaker
Even personally owned hardware has its risks from today's ISPs. DOCSIS
standards require every off the shelf cable modem to basically have giant
"management" back doors for the ISPs. They can remotely install firmware
updates to your modem that you own for "your safety" and there's not much you
can do about it.

------
mobilio
It's another reason once you bought a router to reflash it with alternative
firmwares as OpenWRT or DD-WRT

~~~
wycy
The last time I looked into OpenWRT/DD-WRT (years ago), it seemed
disadvantageous to switch to them because they would be slower than stock
firmware due to missing some kind of hardware support. Is this still the case
these days?

EDIT: It sounds like the situation for my router (R7000) is quite the opposite
now, apparently being almost twice as fast due to new hardware acceleration
features.

~~~
zantana
DD-WRT is has access to some proprietary (Broadcom?) code which enables NAT
acceleration on some models which, at least in my case, greatly improved
performance over OpenWRT.

~~~
mobilio
Exactly. They have signed an NDA with Broadcom:
[https://openwrt.org/meta/infobox/broadcom_wifi](https://openwrt.org/meta/infobox/broadcom_wifi)

"DD-WRT has a license agreement and NDA in place with Broadcom that allow
usage of better, proprietary, closed source wireless drivers (binary blobs)
which they are not allowed to redistribute freely."

------
Namidairo
I noticed there's a gap in some of the affected lists. (Mainly the
MediaTek/Ralink mipsel hardware) They don't appear to have the same httpd
binary talked about here. (Instead they have a mini_httpd?)

They do appear however to be still very vulnerable to CVE-2020-8597 (no PIE or
stack cookies, probably RWX stack) and for the one device I took a look at
(R6700v2), the firmware image hasn't been updated since last September.

Oh well.

------
Meekro
I've used Apple routers for many years, but since they've been discontinued I
wonder what I'll do when I need to replace them. All the major alternatives
seem to have crap software that requires frequent reboots and has security
issues.

Can anyone recommend an awesome wireless router that works great off the
shelf? I don't want to have to learn how to flash it with DD-WRT.

~~~
beamatronic
Eero

~~~
post_break
I almost went full Unifi, got lazy and got Eero. So far everything has been
fantastic. It's not perfect but it works and delivered on its promise. Speed
is fast, it's not Wifi 6 but neither are any of my devices. Paid full price
too, not a shill here.

~~~
WorldMaker
Ubiquiti has a consumer/prosumer brand called Amplifi now. It's got the ease
of something like Eero but the decade of experience of Unifi. (They also
already have a WiFi 6 mesh router at the top of the line on the prosumer
side.)

~~~
hedora
I recommended an Amplifi to some friends that aren’t computer-savvy, and
didn’t hear back. (Their previous router was crashing frequently.)

I visited them a few months later and noticed it, so I asked about it.

They had kind of forgotten about it. There were zero problems setting it up
and zero problems since. They said they thought it was kind of pricey.

If I remember right, it was $50 more than the cheapest (but terrible) one with
similar specs. It was $100 less than an expensive, terrible and comparable
one.

I can’t imagine a more favorable review of consumer networking gear. :-)

Also, I have had zero issues with the Ubiquiti access point I use at home. I
have a pcengines apu2 OpenBSD router, so I can’t say much about their routers.

~~~
WorldMaker
Very similarly, I recommended Amplifi to my parents. They've had a couple
issues with it, but that's due to a complicated bit of their new house more
than Amplifi itself.

The house they just moved into had a strange audio LAN wired through the house
when it was built. The audio LAN had a couple CAT-5E ports for "expansion"
(presumably?) on each floor just about perfectly located for WiFi AP backhaul.
So I worked with my parents on a plan to try three of Amplifi's routers rather
than one AP and two "Satellites".

This seemed to work alright. The Amplifi phone app wasn't great about setting
up a multi-AP mesh of that sort just yet (as opposed to the focused use case
of one router/AP and several "satellites") and didn't always have the best
experience (in navigation/details), but other than UX complaints, the system
just works as expected.

However, my parents then discovered that there were "hidden" components also
wired to the Audio LAN somewhere between the primary Audio LAN router and the
"expansion ports", which meant that some of the system's speakers stopped
operating. (It would have been great to have a wiring diagram of the whole
LAN. We did a lot of trial and error discovery on this.)

So my parents decided to "turn off" the backhaul by reconnecting it to the
Audio LAN. There was angsty confusion that they "broke" the WiFi because they
ignored/forgot my explicit instructions to disconnect the router's WAN cables
on the house ports that were now again Audio LAN ports. As I had expected,
once disconnected from the confusing (to people and devices alike) Audio LAN,
the Amplifi Routers straightened themselves out and switched to a more
traditional bridged mode ("wireless backhaul") as if they were mere
"satellites".

According to the math I did, my parents paid a lot less for that experiment
with all Amplifi routers than if they'd tried it with "full" routers of any of
the other brands we'd comparison shopped (and none of them seemed to offer an
ala carte buying experience similar to Amplifi's section of Amazon), though
obviously more than if they'd bought only one router and two satellites of any
of the other brands in the first place. The extra LAN port on the Amplifi
router is still critical to them on one of the floors (a home office VOIP
system that "requires" a wired connection) and they couldn't easily swap at
least one of the routers for a Satellite anyway.

Other than the crazy backhaul experiment confusion, my parents haven't had any
problems. I don't think we could have ran that experiment with any of the
other brands. My parents seem happy with the purchase and the quality of their
WiFi on all three floors, which was the important thing for them, and I get
the feeling they were happy with the price despite "over-paying" a tad due to
the experiment.

------
stragies
Treat these devices like PCs:

See the installed system as "example installation to demonstrate functioning".
Like HP with the bundled Crapware on PCs.

Just install OpenWrt as soon as you did a basic function test. And only buy
hardware you know to be compatible.

~~~
Namidairo
The problem with than plan however, is that many of these devices tend to
depend on arcane network hardware acceleration features in order to reach
decent switching throughput.

Which rules out OpenWrt on some of the lower-spec pieces if you have a faster
WAN connection (Ie. 1gbit), as I don't believe they have support for these on
many platforms. (MT7621 is referenced as supported, and Qualcomm's "SFE" being
supported in community builds)

~~~
philjohn
Qualcomm SFE has been replaced in OpenWRT with the more generic "flow
offload", on an R7800 you can get gigabit speeds lan to wan.

Wireless is still lagging as the IPQ8064 has two NSS packet processing cores
which, amongst other things, also accelerate crypto, including WPA.

I've got an R7800 running router duties on OpenWRT and then a Netgear Orbi
RBK50 set running in AP mode which works well for my needs.

There IS a community effort to port the NSS acceleration (which accelerates
qdisc and therefore traffic shaping with SQM) from the QSDK sources, but it's
slow going.

------
devy

       In SOHO devices like the R7000, the web server must parse user input 
       from the network and run complex CGI functions that use that input. 
       Furthermore, the web server is written in C and has had very little testing, 
       and thus it is often vulnerable to trivial memory corruption bugs.
    

I wonder why these network equipment manufacturers are still using CGIs in
their firmware?! Is it because the MCUs they use in their hardwares are too
weak to run modern version of the linux with reasonable choices to build a
custom compiled version of the web server in Rust not C?

~~~
user5994461
They're running CGI and writing homemade web servers in C because they haven't
maintained or upgraded their software in decades.

I don't think they are low power devices. My bet would be they're relatively
normal hardware running a light linux. It takes quite a bit of power to route
gigabit ethernet or ac wifi.

~~~
yjftsjthsd-h
> They're running CGI and writing homemade web servers in C because they
> haven't maintained or upgraded their software in decades.

Sometimes, certainly:) However...

> I don't think they are low power devices. My bet would be they're relatively
> normal hardware running a light linux. It takes quite a bit of power to
> route gigabit ethernet or ac wifi.

It doesn't take much compute to handle high-end eth/wifi if you offload it to
hardware, and even doing it on-CPU (which I don't think is actually common)
probably wouldn't impact RAM/storage, so you could still manage with a
stronger CPU and comically tiny memory.

------
esaym
I gave up on netgear long ago for access points. Been running stuff from
[https://mikrotik.com/](https://mikrotik.com/) since 2016. They are a bit
dated in some areas, but they are cheap and I've never had any issues.

------
alyandon
Reading stuff like this makes me glad I ditched consumer grade all-in-one
stuff and went with a $REAL (feel free to substitute appropriate brand) router
and stand alone AP.

~~~
jasondclinton
That's not a workable solution for the vast majority of the population.

~~~
alyandon
Sadly not. You generally have to be very technically inclined to use something
like Mikrotik (which is what I'm using) and even the Ubiquiti stuff isn't as
easy to use as it could be.

~~~
WorldMaker
Ubiquiti has a consumer/prosumer brand now called Amplifi. I set it up at my
parents' and it was a breeze. It's adapted well to some strange network
situations they had. (A long story but they moved in to a place with an
ancient audio LAN wired through the home and we explored various
configurations of detaching portions of the audio LAN for WiFi backhaul.)

~~~
alblue
Does Amplifi require some cloud login before you can use it? One of my
annoyances recently is that the WiFi providers have an iOS app but require you
to log into their servers to configure the thing on your local network.

~~~
WorldMaker
It's been a couple months since I set it up, but as I recall Amplifi did not
require an account to set up your mesh.

It offered an optional "cloud" account system for remote administration (such
as giving guest access when you are away or rebooting your mesh from your
phone when your guest complains about the network not working, and so forth),
but did not require it.

------
theincredulousk
Predictably, the web servers are an afterthought for branding so that users
don't have to edit configuration files and operate at a command line.

(a) 99%+ of people buying these things do not know or care about security,
aside from someone stealing their WiFi bandwidth (b) the manufacturer does not
care because of (a).

As follows, all they care about (WRT to the web server) is that they are easy
enough for non-technical people to setup such that they don't end up on a tech
support call or returning the device for a refund. That is it.

If you are the 1% that cares about security on your home network, it is far
less stressful to simply conclude these products are not for you and move on
with your life. You should be looking at enterprise hardware, open source
router firmware, or rolling your own.

In any case, what surprises me is that over time the router manufacturers
haven't simply built up a single, relatively patched-up, web server
implementation that they re-use. Even without aligned incentives, you would
think over years and years of development they'd have something at least as
good as what you can clone out from from github for free.

------
hathym
Why is this a big deal since you can exploit the vulnerability only when you
are connected to the local network? (I've seen some of these exploits used to
replace the installed firmware with openwrt)

~~~
cjbprime
In general, this is not a safe assumption to make -- for example, due to DNS
Rebinding attacks.

The article also mentions that the exploit is working remotely:

> As the vulnerability occurs before the Cross-Site Request Forgery (CSRF)
> token is checked, this exploit can also be served via a CSRF attack. If a
> user with a vulnerable router browses to a malicious website, that website
> could exploit the user’s router. The developed exploit demonstrates this
> ability by serving an html page which sends an AJAX request containing the
> exploit to the target device.

Also, if you're replacing the firmware, the new firmware can create an
_outgoing_ root shell to a destination of your choice. There's no internal
limitation here.

------
aVx1uyD5pYWW
Is there any mitigation for this? AFAICT netgear has not released a patched
firmware for this bug yet. Anything else that can be done?

------
AdmiralAsshat
[https://github.com/grimm-
co/NotQuite0DayFriday/blob/master/2...](https://github.com/grimm-
co/NotQuite0DayFriday/blob/master/2020.06.15-netgear/notes.txt)

>* R6300v2 version 1.0.3.6CH, 1.0.3.8, and 1.0.4.32

>* R6400 version 1.0.1.20, 1.0.1.36, and 1.0.1.44

>* R7000 versions 9.88, 9.64, 9.60, 9.42, 9.34, 9.18, 9.14, 9.12, 9.10, 9.6,
and 8.34

Strange, my Netgear R6700 is not on the list. Does that mean it's unaffected,
or they simply didn't have that model on hand to test against?

~~~
Namidairo
There is a much longer list within the comments of exploit.py

It appears they may have scraped the Netgear site and run all the images
through binwalk + objdump to make the list.

------
jaboutboul
Wow. This is gonna be bad.

~~~
mmm_grayons
Routers have been full of stupidly bad bugs for years; nothing really new
here. I recall analyzing one a while back and finding that it used session
tokens to determine whether one was logged into the interface. These were
derived from the uptime with triple des, but the nonce was a constant string
of text and the key was based off of interface mac addresses. One has to
wonder, at that point, why do anything at all?

~~~
yjftsjthsd-h
> One has to wonder, at that point, why do anything at all?

Still prevents the most casual attacks; obscurity is sorta technically better
than nothing. (Or worse, of course, if it gives the incorrect appearance of
actual security...)

------
joemazerino
Reports of 0days always make me consider projects like OpenWRT and Tomato. I
wonder how fast a non profit project can patch compared to OEMS.

------
DiabloD3
Im surprised no one has made the semi-obligitory "buy Ubiquiti Edgerouter
X/Lite and throw in a NanoHD" comment.

~~~
rdudek
As someone who recently got the Dream Machine Pro with NanoHD access point,
most of the consumers will not want to deal with such a setup. Also, Ubiquiti
has their own issues to sort out as well.

~~~
ThePowerOfFuet
>Also, Ubiquiti has their own issues to sort out as well.

I also own a UDM Pro, and this is an understatement.

------
1024core
Is Netgear the new Adobe (see: Flash) ?

------
abc-xyz
Slightly off-topic: any not-made-in-china router recommendations?

~~~
mobilio
Mikrotik

~~~
g-b-r
They _are_ made in china, at least the last I bought (at least the company and
the software are not chinese, of course)

~~~
mobilio
Yes, but OS (firmware) is built in EU.

Technically someone somewhere make a electronic plate and sold some elements
on it.

But difference is who is wrote a software on top.

~~~
g-b-r
?

Who wrote a software (and designed and sold the whole thing) is _some_
difference, much better than nothing, but the "electronic plate" can still be
filled with backdoors and other gimmicks...

