Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Lots of Netgear routers include a software called Circle. This adds parental control features to these devices. Because this runs as root, it is still a good attack vector.

The Circle update daemon polls an HTTP service (note the lack of an 'S' there). This file contains firmware version information, database information and a few other things. If the component is out of date, it will reach out to grab a few files: database.tar.gz, firmware.bin and platforms.bin. The firmware and platform binaries are encrypted then signed blobs of data. However, the database files are not protected in this way. What can be done with this?

The update script unpacks the tar.gz file into a directory. In this same directory are the stopcircle, startcircle and several other scripts! Since we control files being extracted into this location, we can add files with these names to our tar.gz. With this, we can overwrite arbitrary scripts to get code execution.

To launch this exploit, we need to abuse the fact that the website is HTTP instead of HTTPS. This can be done via DNS spoofing or a classic MitM attack to change the database.tar.gz.

Overall, this is an interesting exploitation method. Although parts of the binary were signed, not all of them were. Using this one entry foothold, they used a mistake in the extraction process of the files to own the system. It turns out, that handling files is really hard.