14 DAY TRIAL // A researcher discovered a set of vulnerabilities in NETGEAR’s WNR2000v4 router model that could be leveraged by an internal attacker to execute arbitrary code and point the victim to a malicious website.
According to the researcher, who calls himself “endeavor” and has never hacked a router before, NETGEAR was contacted on April 14 and a reply confirming the flaws came about a week later.
The answer was accompanied by a note saying that the attack can be executed from the LAN, which should eliminate the risk if the device is secured with a proper password and the answers to the security questions are not easy to guess.
The chain of exploits includes reflected cross-site scripting (XSS), abuse of the password recovery feature, and a command injection glitch.
Expired router becomes the beginner hacker's playground
An exploit is available, the researcher says, but it has not been published, as NETGEAR is allegedly working to fix the problem.
In the presentation of the flaw, the researcher says that the attacker has to run the malicious code on the web page of the administration console of the router and execute a JavaScript.
Getting the authentication credentials requires the serial number of the device, which again can be obtained from the LAN, and providing the correct answers to the security questions.
“Submitting a correct serial number will set a flag. Submitting correct security questions will set a second flag. Once both flags are set and passwordrecovered.cgi is fetched the auth credentials will be returned,” endeavor writes in the advisory.
The command injection vulnerability requires retrieving a CSRF token that is called “timestamp,” which can be obtained through guessing, although, with authentication credentials in hand, there is no need for this type of effort.
Compromising the NETGEAR router this way is not an approach to be embraced by cybercriminals since the attacker has to be able to access the internal network. More than this, protecting against such an attack is a simple matter of properly securing the device with a strong password enabling security questions for the password recovery feature.
Given the low risk the attack presents, NETGEAR is very likely not to rush to plug the holes, or it might never try to. It is also important to note that the device has reached end of life.
[UPDATE, April 24]: Endeavor, Alex Eubanks by his real name, contacted us to offer more details about the vulnerabilities he discovered.
He says that NETGEAR’s assessment downplays the importance of the flaws and that attacks can be carried out from a remote location, by tricking the victim to access a malicious website that deploys the exploit chain.
The attack starts with leveraging an unauthenticated, stored XSS in the web server built into the router, which allows running the exploit with the same origin as the device’s web-based administration page.
Since most users do not enable password recovery for the router, there are no security questions set up, and the perpetrator can obtain the login credentials easier; enabling password recovery based on answers to security questions would bring the attack to a halt.
His tests have been conducted on a WNR2000v4 device, but the firmware used was for WNR2000v5 routers, which are still supported by NETGEAR. Given this detail, the researcher believes that the manufacturer would release a patch in the coming weeks.
This was Eubanks’ first try at hacking router firmware, but his background includes experience with unpacking and analyzing assembly code, which helped find the glitches and build an exploit in six days, the researcher tells us.