About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Seventh Inferno vulnerability - Netgear Switches- 618

gynvaelPosted 4 Years Ago
  • Switches are networking devices used all over the place. Being all to compromise a switch on a network would allow for traffic sniffing and many other serious attacks. This author chained several odd bugs into a badass pwn.
  • The Web UI logic uses a file to store all of the request information for an authentication request. This information is then used, from the file, in a different process to authenticate the user. This file contains a username, password, name of the result, name of the result file and some other information. An example of this file can be seen below:
    --------------------------- 
    admin
mySecretPassword
/tmp/sess/guiAuth_http_::ffff:someip_5
::ffff:someip
http
5

    ---------------------------
  • The problem starts with the fact that both the username and password do not encode or escape any data. This makes newline injection possible to confuse the file parser. The only useful field we can inject into is a file name, which is the name of the result file. This gives a VERY small file write primitive where the file will either contain an ASCII 2 or 3, from the auth request.
  • The sessions are kept inside of the /var/tmp/sess/login_http_ file. From some crazy reason, a session file of simply 2 is completely valid! This is because of a complete lack of error checking on a multitude of things. Check for errors kids!
  • This is the craziest part though: the session file needs to end with the current session time. The creation time for these is NOT the Unix timestamp though; it is the time since last reset. But, we do not know this!? By crashing the switch, we can force 0 to be a valid number here. The author found that writing 2 to several files, such as /proc/sys/vm/panic_on_oom would immediately cause a crash. Additionally several TCP/IP in the outdated kernel would have worked as well.
  • Now, with the value 2 is the proper file, we have a valid session to call the application. Damn, that's an amazing find! To add insult to injury, there is command injection on an authenticated command as well, which makes compromise trivial at this point.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed