About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Last Breath of Our Netgear RAX30 Bugs - A Tragic Tale before Pwn2Own Toronto 2022 - 1058

Vu Thi Lan & Nguyen Hoang Thach - Star LabsPosted 3 Years Ago
  • The authors of this post come from Star Labs - a usual team at Pwn2Own. They detail several cool vulnerabilities that were patched a little bit before the event. They targeted a Netgear router, in this case.
  • From the LAN side, many services including upnp, hostapd, smb and others are exposed. From reverse engineering a binary in Ghidra, they discovered that the hostname field has a command injection vulnerability.
  • However, they are only given 63 bytes to work with. One thing I would have considered doing is constantly appending to a file until it is large enough. Then, executing the binary once we're done. In this case, they simply created a file. Sadly, this was fixed. The fix used execve instead of system. They did a good job fixing this issue.
  • While reviewing the device, they noticed a plethora of out bound connections to several netgear domains on the WAN interface. One of the domains was responsible for checking for firmware updates. While using the curl library to make these requests, two crucial settings are turned off: CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER.
  • Since the certificate verification is turned off, an attacker can setup a fake DHCP and DNS server to impersonate the update server. The firmware is likely signed... the point is that this opens up an entirely new attack avenue though!
  • When performing the firmware update, several requests are made to the update server. One of these is a URL for downloading files. This input is vulnerable to a command injection vulnerability though! This was also fixed by using execve instead of system though.
  • What's strange about this fix is that it is NOT complete. The root cause of the problem is the lack of certificate verification. As a result, the patch wasn't sufficient, allowing for a malicious firmware image to be sent to the device. The caveat is that the bug can only be exploited once per day (lolz).
  • Overall, a trivial list of bugs in the Netgear router. Interesting to see such bad bugs inside of such a popular product though.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed