Upgrade to Pro — share decks privately, control downloads, hide ads and more …

NETGEAR Bug Bounty

Lays
May 20, 2017

NETGEAR Bug Bounty

一個發生在日本的溫馨小故事

Lays

May 20, 2017
Tweet

More Decks by Lays

Other Decks in Research

Transcript

  1. First Try • Download Firmware • binwalk to extract squash

    filesystem • Grab some cgi from /www to feed • Pwn it and profit !
  2. First Try • Download Firmware • binwalk to extract squash

    filesystem • Grab some cgi from /www to feed • Pwn it and profit !
  3. /usr/sbin/net-cgi • Found a command injection ! • But it’s

    also filtered out… • Only alphanumeric allowed
  4. /usr/sbin/net-cgi • Found another buffer overflow ! • Keep reading

    until space / tab / new line • But it’s just an overflow on global variable …
  5. /usr/sbin/net-cgi • So now command injection works • No space

    / tab available? use ${IFS} http://[ip]/FW_log.htm?/ %20timestamp=[A*504];sleep${IFS}10;
  6. Exploit • Write to stdout didn’t work : ( •

    Write output to a file and copy it to webroot • Access the output file curl http://[ip]/FW_log.htm?%20timestamp= [A * 504];[cmd]|tee${IFS}/www/out.js;
  7. Nighthawk X8 • Nothing interesting in cgi files too •

    Different HTTP Server from X4S • Most of cgi requests handled by httpd
  8. /usr/sbin/httpd • It’s boring on plane … 
 so I

    found a stack overflow • A strcpy from QUERY_STRING • How do we get here?
  9. Stack overflow • Triggered if url starts with /shares •

    But we could only access /shares from LAN
  10. Stack overflow • Triggered if url starts with /shares •

    But we could only access /shares from LAN … really ?
  11. Stack overflow • The check is only strncmp with 


    “GET /shares” • Bypass by sending “HEAD /shares”
 or something like “XXXX /shares”
  12. Stack overflow • So now we can crash the HTTP

    Server • Let’s try to control PC !
  13. Control the PC • No url decode • curl /

    requests doesn’t support unprintable url • But it’s https … • Send raw https requests
  14. Now let’s see if we’ve controlled the PC • dmesg

    doesn’t work : ( • Found some useful gadgets system(“echo Kernel crash >> /tmp/info.txt”) • Read /tmp/info.txt to check if PC controlled
  15. Exploit • Stack overflow caused by strcpy • We can

    only use one gadget • It’s not CTF, system(“/bin/sh”) doesn’t work • We need some magic gadgets !
  16. Exploit • Combined above 2 bugs • We can bypass

    auth and execute command with root privilege !