Hacking the Netgear R6020
CVE Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41383
1. Getting the Firmware
Firmware for this router can be found at https://www.netgear.com/support/product/R6020.aspx#download
The version in this blog is 1.0.0.48
2. Extracting the Root Filesystem
Use binwalk to extract firmware files.
j-o-e-l-s@machine:~/Downloads$ binwalk -e R6020_V1.0.0.48.zip
j-o-e-l-s@machine:~/Downloads$ cd _R6020_V1.0.0.48.zip.extracted
j-o-e-l-s@machine:~/Downloads/_R6020_V1.0.0.48.zip.extracted$ binwalk -e R6020_V1.0.0.48.img
j-o-e-l-s@machine:~/Downloads/_R6020_V1.0.0.48.zip.extracted$ cd _R6020_V1.0.0.48.img.extracted/
j-o-e-l-s@machine:~/Downloads/_R6020_V1.0.0.48.zip.extracted/_R6020_V1.0.0.48.img.extracted$ binwalk -e R6020.bin
We can now look at the root filesystem files.
j-o-e-l-s@machine:~/Downloads/_R6020_V1.0.0.48.zip.extracted/_R6020_V1.0.0.48.img.extracted/_R6020.bin.extracted/squashfs-root$ ls
bin dev etc_ro init media proc sys usr www
data etc home lib mnt sbin tmp var www.eng
3. Identifying Files of Interest
This router uses .cgi files to handle web requests and input sanitization so any of these file are available for analysis.
j-o-e-l-s@machine:~/squashfs-root$ find -name "*.cgi*"
./usr/etc/htpwd_recovery.cgi
./usr/etc/restore_config.cgi
./usr/etc/upgrade_stringTbl.cgi
./usr/etc/upgrade_flash.cgi
./usr/etc/setup.cgi
./usr/sbin/htpwd_recovery.cgi
./usr/sbin/restore_config.cgi
./usr/sbin/upgrade_flash.cgi
./usr/sbin/setupwizard.cgi
./usr/sbin/setup.cgi
Setup.cgi will be the main file of interest.
4. Finding a Vulnerability in the Web App
There are several places for the user to enter input.
This one in particular is able to be exploited to inject shell commands.
Let’s take a look at what happens when we try to set the NTP server.
Using BurpSuite we can see what happens when the Apply button is clicked.
A POST request is made to Setup.cgi with variables in the body.
| POST Body Variable | Description |
|---|---|
| ntp_server= | Value that can be controlled by the user |
| todo=save | todo will control the function that setup.cgi executes |
| this_file=FW_ntp.htm | FW_ntp.htm is relevant within the save function of setup.cgi |
5. Analyzing setup.cgi
In this POST request the todo=save corresponds to the save function in setup.cgi.
Within this function ntp_server will be saved to non-volatile RAM.
And there is a check for FW_ntp.htm that will perform a system call to /usr/sbin/rc ntp restart
Since there is a call to /usr/sbin/rc ntp restart we need to look at /usr/sbin/rc
6. Analyzing rc
Within the main function of /usr/sbin/rc there is a write of /usr/sbin/rc_app/rc_ntp restart to /var/cmd_a.
This will result in the execution of /usr/sbin/rc_app/rc_ntp restart
rc_ntp is a symbolic link to rc_apps so that will be the next file to analyze.
7. Analyzing rc_apps
Within the main function of rc_apps argv[0] is parsed for the substring after the last /.
In this case the rc_ntp is parsed from /usr/sbin/rc_app/rc_ntp. Then this value is checked against a list of key value pairs in the form of char* function_name: void* function_ptr
rc_ntp is found at location 0x4bf098 in the list and the strcmp condition is satisfied.
Then in this line (*((index << 3) + 0x4bf034))(argc, argv) rc_ntp is called.
Now we need to analyze rc_ntp within rc_apps
8. Analyzing rc_ntp in rc_apps
Within rc_ntp argv[1] is checked against start stop restart
Since argv[1] is equal to restart. stop_ntp and start_ntp are called.
Within ntp_start the value ntp_server is retrieved from non-volatile RAM. (We control this value with the POST request).
This value is used in this system call /usr/sbin/netgear_ntp -h %s& as the %s format string.
This is where we can perform the command injection.
9. Injecting Shell Code
Now using BurpSuite we can inject our own shell code.
In this case I’ll inject & echo hello .
This is the serial output from the router when the command is executed.
So we can now execute remote shell commands.