
NetUSB Impacts the Security of Millions of Devices Worldwide - _jomo
http://blog.sec-consult.com/2015/05/kcodes-netusb-how-small-taiwanese.html
======
userbinator
_The client can specify the length of the computer name. By specifying a name
longer than 64 characters_

What sort of programmer writes code to handle a protocol with a length field
and yet uses a fixed-size buffer without ever considering the possibility of
what would happen if it could be larger than the buffer...?

I've seen plenty of source code out there, written for educational/example
purposes, where arrays to hold strings are declared with an arbitrary size and
no justification why - and naturally, no consideration of this fact is made
evident. It's a horrible habit to get into writing code like that, since it
makes others, less knowledgeable, think it's acceptable...

~~~
cnvogel
> What sort of programmer writes code to

The sort of programmer who's not passionate about how the code looks, or
works, as long as it passes the (very rudimentary) tests which don't cover
protocol violations or borderline cases.

The sort of programmer that didn't have any experience and directly went from
Sandbox-Java to bare-metal kernel-code in his first project?

I don't want to disillusion you, but I know plenty of people with (at least
part-time) programming jobs who don't care at all about all the new
programming paradigms, programming languages, libraries, frameworks... boasted
often here on HN. I'd say that a huge majority is pretty pleased with what
they know, as long as it's enough to do the job.

And, frankly, economically it makes sense: How many plastic-routers are chosen
based on their track-record regarding security? And how many "Security-
Incident-Handling Stars" does any of the devices mentioned in the article have
on Amazon.com? No one cares. The company and their programmers can just
continue writing "almost working" code, and patch the security-incident-of-
the-month when it surfaces.

~~~
userbinator
_I don 't want to disillusion you, but I know plenty of people with (at least
part-time) programming jobs who don't care at all about all the new
programming paradigms, programming languages, libraries, frameworks... boasted
often here on HN. I'd say that a huge majority is pretty pleased with what
they know, as long as it's enough to do the job._

Actually I'd consider myself in that group; most of my work is in Asm and C,
with some C++, sometimes Java, and very occasionally do I do anything with Web
technologies.

The difference, however, is that I _do_ consider all possible inputs, think
about how much space things take up, and generally try to cover the problem
space. If there is a variable-length field, there will be a statement in the
documentation/requirements which states any length restrictions, and what
happens if that length is exceeded.

 _The sort of programmer that didn 't have any experience and directly went
from Sandbox-Java to bare-metal kernel-code in his first project?_

I think this has much to do with it - those starting with HLLs that cover them
with a safety net, letting them do stupid things without all that much
consequence, may not develop the same type of thinking; but, even if this was
written in something like Java, a Nullpo or IOOBE is unacceptable, and perhaps
they would just patch in code to catch the exception and ignore it, not giving
this case the proper thought it deserves.

To put it a bit more bluntly: when you're writing in Asm on a machine running
DOS, and any bug is probably going to make you reboot, you quickly tire of
hitting the reset button and learn to think more carefully about what you
write. Although I've migrated from such an environment a long time ago, the
habit has stuck.

~~~
cnvogel
> To put it a bit more bluntly: when you're writing in Asm on a > machine
> running DOS, and any bug is probably going to make you > reboot, you quickly
> tire of hitting the reset button and learn > to think more carefully about
> what you write. Although I've > migrated from such an environment a long
> time ago, the habit > has stuck.

I completely agree, a good argument for teaching programming "from the bottom
up".

------
sdalfakj
> Workaround:

> \-----------

> Sometimes NetUSB can be disabled via the web interface, but at least on
> NETGEAR devices this does not mitigate the vulnerability. NETGEAR told us,
> that there is no workaround available, the TCP port can't be firewalled nor
> is there a way to disable the service on their devices.

[https://www.sec-
consult.com/fxdata/seccons/prod/temedia/advi...](https://www.sec-
consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt)

Eeesh

------
ansible
Sigh....

I should probably replace my commercial-grade WiFi router with some custom box
that can run OpenBSD or something.

When I first got it, I tried to go through and lock down everything I could
find. But I suspect that may not be enough.

~~~
pavel_lishin
I wonder how much it would cost to build a reasonable wifi router out of a
raspberry pi, or something similar.

If you could keep performance and consumer costs comparable, you could
probably sell quite a few.

~~~
DEinspanjer
It isn't hard to put together low power hardware with two or more NICs, and
you can then toss something like pfSense or similar on it.

The biggest challenge is whether this will impact your internet speed. If you
have a faster broadband connection, you can quickly exhaust the throughput
capabilities of such a limited platform. Things get significantly worse if you
are relying on the router for your LAN traffic as well (i.e. you don't have a
switch to offload the LAN only traffic).

With the more commercial solutions, whether for SOHO or SMB, the biggest
advantage they bring to the table is the ability to utilize hardware
optimizations such as offloading for checksum, TCP segmentation, and large
receive.

pfSense actually has code to perform the offloading, but you have to ensure
the hardware you're using is capable of performing the work.

------
listic
Looks like most home router manufacturers are mindlessly plugging modules from
various vendors to their devices' firmware, to add features.

Are there manufacturers or product lines that are safe(r) from such approach?
Are alternative firmware such as OperWRT or independent open-source firmwares
(m0n0wall, pfSense, OPNsense) better in this regard?

~~~
redwards510
pFSense and OpenWRT (I have no experience in the others) are safer in that a)
when issues are discovered, patches are made quickly and upgrading is simple
and b) you can select only the services you want running, thereby reducing
your attack surface.

------
snowwrestler
> While NetUSB was not accessible from the internet on the devices we own,
> there is some indication that a few devices expose TCP port 20005 to the
> internet.

This is a very important caveat that seems to be a bit buried in the article.
If this service is not exposed to the Internet, an attacker would have to be
on your local network to exploit the vulnerability--either authenticated into
your WiFi, or already resident on one of your devices (through a previous
exploit). Both are fairly high hurdles if you encrypt your WiFi.

Coffee shops etc. that run open consumer-grade WiFi access points could be
vulnerable to this. Exploiting that router would provide bad guys with a
platform to harvest or attack traffic from all the computers that connect to
that router.

If your device does expose this service to the Internet, then any script
traversing known consumer ISP netblocks could try to hit it. So that is worth
nailing down.

------
DEinspanjer
I can't tell if the response from NETGEAR is just sensationalized and they are
actually working on firmware updates that will fix the flaw or at least allow
firewalling or disabling the feature. I would hope they don't think that "it
can't be fixed" is actually an acceptable long term answer.

~~~
rednovae
I have reported vulns to NetGear before. They don't have any sort of security
department, nor a method to handle vulnerability reports.

I have no idea what the truth actually is, but my experience would lead me to
believe worst case.

~~~
MichaelGG
I know it's illegal, but it'd be eye opening to worm these machines, then have
them inject a banner sometimes, to alert the user. I suppose that's an ethics
question overall. I know many exploits that can and are being used for
financial gain. [1] The vendors respond very poorly (lying or getting angry at
me). Companies and customers are at risk. But no one cares. Unless a major
incident occurred...

1: One expensive (8 digit) system that was targeted at multi tenant setups
used Java for the UI. Annoying but OK. But, how did the Java app determine
your login privileges? Oh, easy! The app would download the _root credentials_
for the system, use them to login to MySQL over the Internet, then "SELECT
Permissions from user where...".

I met the developers and their response was " yes that's a known issue in the
current version ". Ignoring that many users were stuck on that version for a
long time. For bonus points, this system logged the root credentials to debug
log, in the user's home directory. I'll let you guess if their updated version
was vulnerable as all hell, too.

Edit: This was a major VoIP switch vendor (NexTone, now killed/bought by
Genband IIRC), so exploits were easily turned into money. (Just route traffic
on someone else's trunk for a bit.) Though I've dealt with other VoIP
providers, ones that keep much more info (full end user info, CALEA module
available) that had SQL injection-> root takeover on the _login page_. That
puts end users at risk, too. Their response? " Our programmers are top notch
C/C++ guys, they just aren't perfectly familiar with PHP... "

------
imrehg
> We tried to get in contact with KCodes back in February 2015 and provided
> them with a detailed vulnerability analysis including proof of concept
> exploit code. They sent a few nonsensical responses and then further ignored
> us.

Working at a Taiwanese company, unfortunately this does not surprise me at
all: both the nonsensical (ie. likely no foreign educated and definitely no
native speakers on the team), or being ignored ("I have no idea what they are
on about but if we don't reply, maybe they will go away") :(

I love this place to pieces, but could use a few level-ups in English,
technical skills, and customer support.

------
_jomo
tl;dr: You can cause a remote kernel exploit when your device name is longer
than 64 bytes.

> Easy as a pie, the ‘90s are calling and want their vulns back

~~~
kpcyrd
s/kernel exploit/kernel panic/

exploits actually exploit things

------
tracker1
Well, just put a 1* review and reference to the article for every Netgear
router with a USB port on amazon that I could find... Since they "can't" fix
it... afaik they refuse to fix it. It isn't like it's impossible to limit
access to internal ports. Difficult, maybe, costly, maybe... just limiting to
currently/recently shipping devices would be better than nothing.

------
cbhl
I wonder if OpenWRT is also vulnerable or if it's just the stock firmware.

I used to use one of the affected devices (TP-LINK Archer C2), but primarily
bought it to run OpenWRT on it. Eventually I got tired of tinkering with it
and replaced it with something else, though.

------
cmavr8
So can anyone propose a sane way to check devices for vulnerability? Obviously
one can disable NetUSB in the web interface, but that may not be enough.

Nmaping port 20005 is not accurate enough.

I want to check 3 of my routers, both from LAN and WAN.

------
pibefision
any idea about what hardware is impacted?

~~~
m_eiman
Perhaps you missed the link in the article to [https://www.sec-
consult.com/fxdata/seccons/prod/temedia/advi...](https://www.sec-
consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt)

~~~
pibefision
Thank you

