Hacking

Some versions of Netgear routers remain vulnerable to arbitrary command injection

A security flaw was discovered in some NetGear routers that could be easily exploited by a remote attacker to gain root access on the device and remotely run code.

Some versions of Netgear routers remain affected by a security flaw that could be exploited by hackers to gain root access on the device and remotely run code. On Friday, a researcher who used the online moniker AceW0rm released a proof-of-concept code exploit because Netgear hasn’t replied to his ethical disclosure.

AceW0rm privately disclosed the flaw to Netgear in August but he did not receive any response from the company.

In a first time, security experts warned of serious security issues in two Netgear routers, the Netgear R7000 and R6400 routers but the situation is worst.

Netgear now as publicly admitted the vulnerability and informed its customer that it is aware of the issue.

“NETGEAR is aware of the security issue #582384 that allows unauthenticated web pages to pass form input directly to the command-line interface. A remote attacker can potentially inject arbitrary commands which are then executed by the system.” reads the Security Advisory for VU 582384 published by Netgear.

The company informed its customers that the following products are vulnerable:

  • R6250
  • R6400
  • R6700
  • R7000
  • R7100LG
  • R7300
  • R7900
  • R8000

The routers belong to Netgear’s Nighthawk line of home routers.

The CERT/CC at the Software Engineering Institute at Carnegie Mellon University published an advisory to confirm that the vulnerability is quite easy to exploit and suggested to discontinue the use of the routers waiting for a patch.

“Exploiting this vulnerability is trivial. Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available.” reads the advisory published by the CERT.

The exploitation of the flaw is quite simple, attackers just need victims info into visiting a website that contains specially crafted malicious code to trigger the vulnerability.

“Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.6_1.0.4 and possibly earlier, contain an arbitrary command injection vulnerability.” reads the advisory issued by the CERT/CC.”By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request.

The advisory states that in order to exploit the flaw, the victim could visit a website like:

http://<router_IP>/cgi-bin/;COMMAND

then the malicious commands would execute automatically with root privileges.

Waiting for a fix, users have a unique option, disable the web server running on the vulnerable routers until the device is restarted by using the following command:

http://<router_IP>/cgi-bin/;killall$IFS'httpd'

This command will disable the router’s web administration until the device is restarted, the advisory published by the CERT invites users to read Bas’ Blog for more details.

In order to verify if you are vulnerable open your browser and visit the following address:

http://[router-address]/cgi-bin/;uname$IFS-a
(For most people, this URL will work: http://www.routerlogin.net/cgi-bin/;uname$IFS-a)
If a web page appears you’re vulnerable.

Another simple method to verify if you are running a vulnerable router is to follow the procedure described in the Kalypto Pink’s blog post.

UPDATE December 13, 2016

“NETGEAR is offering this beta firmware release as a temporary solution, but NETGEAR strongly recommends that all users download the production version of the firmware release as soon as it is available.” states the advisory from NETGEAR .

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Netgear R7000 and R6400 routers, IoT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

5 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

16 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

20 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.