US-CERT's top tip: Hack your crap Netgear router before miscreants arrive

Command-injection hole can only be closed by killing web server – or the whole thing

A frustrated woman

Owners of three models of Netgear routers are being advised to exploit a security hole in their broadband boxes to, er, temporarily close said hole. The alternative is to switch off the boxes until a firmware update lands.

Netgear says that the R6400, R7000, and R8000 series routers are all vulnerable to CVE-2016-582384, a command-injection bug that is trivial to exploit: you simply have to trick someone on the router's local network into opening a booby-trapped webpage. We're told R7500, R7800, R8500 and R9000 models are also at-risk.

An attacker could direct a victim to a malicious website that abuses the design flaw, or malware on the network could connect to the vulnerable box and exploit the vulnerability directly. The end result is countless routers potentially being silently meddled with or infected and hijacked.

Due to a major bug in the way the routers' builtin HTTP server parses requests, you can inject commands into a box by fetching the following URL:

http://<router_IP>/cgi-bin/;COMMAND

The web server code executes the given command string effectively as the root user; the underlying operating system is BusyBox Linux. So, for example, if one of the affected models is usually on the local IP address 192.168.0.1, then the following HTML embedded in a webpage will force a reboot when someone on the LAN visits that page – effectively creating a denial-of-service:

<img src="http://192.168.0.1/cgi-bin/;reboot" alt="">

US-CERT says an exploit targeting the flaw has already been publicly disclosed. The security team's advisory explains:

Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.12_1.0.11 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted website, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers.

"Exploiting this vulnerability is trivial," the security bods caution. "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available."

Administrators, meanwhile, are less than thrilled with Netgear for its security miscue.

Security researcher Acew0rm was credited with discovering and disclosing the flaw over the weekend, as well as developing the proof-of-concept exploit. We're told Ace warned Netgear about this issue months ago but seemingly nothing was done about it.

While Netgear says it is still working on a firmware fix for the flaw, US-CERT says the hole can be closed by disabling the router's web server feature with the following URL:

http://<router_IP>/cgi-bin/;killall$IFS'httpd'

That request, which exploits the vulnerability itself, disables the builtin HTTP server that is used to administer the device. In other words, customers are being urged to lightly hack their own boxes before an attacker can exploit it for nefarious ends.

US-CERT notes that after executing the command, users will be unable to manage or control the router via the HTTP server until the box is rebooted or power cycled. A software fix is needed from Netgear to permanently squash the bug.

"We appreciate and value having security concerns brought to our attention. Netgear constantly monitors for both known and unknown threats," Netgear said in its alert.

"Being pro-active rather than re-active to emerging security issues is fundamental for product support at Netgear." ®


Biting the hand that feeds IT © 1998–2017