Some versions of Netgear routers remain vulnerable to arbitrary command injection

Pierluigi Paganini December 13, 2016

A security flaw was discovered in some NetGear routers that could be easily exploited by a remote attacker to gain root access on the device and remotely run code.

Some versions of Netgear routers remain affected by a security flaw that could be exploited by hackers to gain root access on the device and remotely run code. On Friday, a researcher who used the online moniker AceW0rm released a proof-of-concept code exploit because Netgear hasn’t replied to his ethical disclosure.

AceW0rm privately disclosed the flaw to Netgear in August but he did not receive any response from the company.

In a first time, security experts warned of serious security issues in two Netgear routers, the Netgear R7000 and R6400 routers but the situation is worst.

Netgear now as publicly admitted the vulnerability and informed its customer that it is aware of the issue.

“NETGEAR is aware of the security issue #582384 that allows unauthenticated web pages to pass form input directly to the command-line interface. A remote attacker can potentially inject arbitrary commands which are then executed by the system.” reads the Security Advisory for VU 582384 published by Netgear.

The company informed its customers that the following products are vulnerable:

  • R6250
  • R6400
  • R6700
  • R7000
  • R7100LG
  • R7300
  • R7900
  • R8000

The routers belong to Netgear’s Nighthawk line of home routers.

The CERT/CC at the Software Engineering Institute at Carnegie Mellon University published an advisory to confirm that the vulnerability is quite easy to exploit and suggested to discontinue the use of the routers waiting for a patch.

“Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.” reads the advisory published by the CERT.

The exploitation of the flaw is quite simple, attackers just need victims info into visiting a website that contains specially crafted malicious code to trigger the vulnerability.

“Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability.” reads the advisory issued by the CERT/CC.”By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request.

The advisory states that in order to exploit the flaw, the victim could visit a website like:

http://<router_IP>/cgi-bin/;COMMAND

then the malicious commands would execute automatically with root privileges.

Netgear R7000 and R6400 routers

Waiting for a fix, users have a unique option, disable the web server running on the vulnerable routers until the device is restarted by using the following command:

http://<router_IP>/cgi-bin/;killall$IFS'httpd'

This command will disable the router’s web administration until the device is restarted, the advisory published by the CERT invites users to read Bas’ Blog for more details.

In order to verify if you are vulnerable open your browser and visit the following address:

http://[router-address]/cgi-bin/;uname$IFS-a
(For most people, this URL will work: http://www.routerlogin.net/cgi-bin/;uname$IFS-a)
 If a web page appears you’re vulnerable.

Another simple method to verify if you are running a vulnerable router is to follow the procedure described in the Kalypto Pink’s blog post.

UPDATE December 13, 2016

“NETGEAR is offering this beta firmware release as a temporary solution, but NETGEAR strongly recommends that all users download the production version of the firmware release as soon as it is available.” states the advisory from NETGEAR .

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Netgear R7000 and R6400 routers, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment