Microsoft found auth bypass, system hijack flaws in Netgear routers

Microsoft experts have disclosed a series of vulnerabilities in the firmware of Netgear routers which could lead to data leaks and full system takeover.

Microsoft researchers discovered multiple vulnerabilities in the firmware of the Netgear DGN-2200v1 series router that can allow attackers to bypass authentication, access stored credentials, and even take over devices.

Experts discovered the security issues while researching device fingerprinting in the new device discovery capabilities in Microsoft Defender for Endpoint. The experts noticed that a device owned by non-IT personnel was trying to access a Netgear DGN-2200v1 router’s management port, then investigated the anomalous behavior.

The traffic was TLS-encrypted, so the researchers focused on the router and investigate the presence of security weaknesses that can be exploited by threat actors.

Microsoft identified three vulnerabilities, tracked as PSV-2020-0363, PSV-2020-0364 and PSV-2020-0365 by Netgear, and reported them to the vendor that fixed them ans released a security advisory.

“In our research, we unpacked the router firmware and found three vulnerabilities that can be reliably exploited.” reads the advisory published by Microsoft. “The critical security issues (those with CVSS Score: 7.1 – 9.4) have been fixed by NETGEAR.”

An attacker can exploit the flaws to bypass authentication for the router’s management pages and take over the router

This kind of attack scenario is very dangerous for organizations because it can lead to the compromise of a network allowing threat actors to breach the target’s infrastructure.

The experts downloaded the firmware for the device from Netgear’s website and noticed that the anomalous communication used the standard port that HTTPd server.

The archive available on the website is a .zip file containing release notes (.html) and the firmware image itself (.chk file). Running binwalk on the .chk file ended up extracting the filesystem (squash-fs).

Researchers performed a static analysis of the HTTPd binary and dynamic analysis using the QEMU emulator.

The analysis revealed that the pages that were served without authentication include some “pseudo code” as the first page handling code inside HTTPd, automatically approving certain pages such as “form.css“ or “func.js.”

“While there is no harm in approving those pages, one thing that stood out was the fact that NETGEAR decided to use strstr to check if a page has “.jpg”, “.gif” or “ess_” substrings, trying to match the entire URL.” Microsoft continues.

“We can therefore access any page on the device, including those that require authentication, by appending a GET variable with the relevant substring (like “?.gif”). For example: hxxps://10[.]0[.]138/WAN_wan.htm?pic.gif. This is a complete and fully reliable authentication bypass.”

Experts also discovered that it was possible to discover router credentials using a side-channel attack.

They also used the first authentication-bypass vulnerability to recover the user name and password used by the router using other existing weaknesses.

The experts focused on the router’s configuration backup\restore feature and abusing the authentication bypass the got the file: hxxp://router_addr:8080/NETGEAR_DGN2200[.]cfg?pic[.]gif.

Reverse-engineering the backup\restore functionality the researchers reached their goal.

“After some preparatory steps, the contents are DES-encrypted with a constant key “NtgrBak”. This allows an attacker to get the plaintext password (which is stored in the encrypted NVRAM) remotely. The user name, which can very well be variations of ‘admin’, can be retrieved the same way.” concludes Microsoft.

“With this research, we have shown how a simple anomalous connection to a router, found through the endpoint discovery service, drove us to find several vulnerabilities on a popular router. Routers are integral to networking, so it is important to secure the programs supporting its functions.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]