Finding bugs to trigger Unauthenticated Command Injection in a NETGEAR router (PSV-2022–0044)

Preface

Before Analysis

Specification of the router

WAC124 Specification

Dumping the firmware

Output from binwalk
Router Directory Structure

Some key files for this article

  • /bin/mini_httpd, mini_httpd: The HTTP server daemon
  • /bin/setup.cgi, setup.cgi: The CGI(ELF Binary) for processing configurations
  • /www.eng/: root directory for the httpd server
  • /etc/htpasswd: plaintext file of unencrypted credentials for the admin page authentication — Format of the file is username:password

Finding Cross-site Scripting (XSS)

usb_new_fld.htm
  1. Reads the requested file, with some file extension checks (we will talk about this later in the article)
  2. Finds for @variable#
  3. Replaces the template string to the actual value.
setup.cgi: html_parser
403 Forbidden triggered by FindForbidValue
setup.cgi: main
setup.cgi: FindForbidValue
view-source of the XSS payload
result of the XSS payload

Finding Unauthenticated Arbitrary File Read

Filenames with htm/html/asp extensions redirect to the login page
Filenames with png/xml do not return any responses
Ambiguous behavior
  1. Why did xml files return outputs while .png and .jpg files didn't? Did it crash?
  2. Why did htm, asp, html files return the login page?

Analyzing the template routine

setup.cgi: main

Exploiting to trigger the system shell

PS F:\> tree f v /F
F:\
└─evil.xml
Bruteforcing %c to find the drive directory
Content of /etc/passwd

RCE#1 Exploit PoC (With preconditions)

It’s not over yet!

Finding Authentication Bypass

mini_httpd: path_exist
  1. checks if your path does not contain .htm, .html, .asp or such.
  2. checks if your path does not contain some dangerous characters that could cause unexpected behaviors, such as todo, etc.

Bypassing some filters

Fuzzing the HTTP request

Trying authentication bypass with the fuzzed path

Finding Command Injection

RCE#2 Exploit PoC (No precondition)

Exploit Code

Actual run of the exploit on the real router

Demonstration Video

https://www.youtube.com/watch?v=uxt0utGn_Zk

About us

--

--

We are a cyber security company based in Tokyo, Japan. We provide security assessment services. HP: https://flatt.tech/en CVE: https://flatt.tech/cve

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Flatt Security Inc.

We are a cyber security company based in Tokyo, Japan. We provide security assessment services. HP: https://flatt.tech/en CVE: https://flatt.tech/cve