NETGEAR Bug Bounty

Lays @ HITCON CTF Team / 2017. May

故事是這樣 der

SECCON CTF in Japan 2017 年年初

CTF 就不說了了⼤大家都比我懂

⼤大老遠跑來來⽇日本好像該做點有意義的事

於是我們買了了⽜牛排來來煎。

飽暖思淫慾難得⼤大家都在⽇日本有⼈人提議⼀一起來來挖洞洞洞洞(?)吧

組隊玩 Bug Bounty 或許可以有些新思路路

NETGEAR on bugcrowd

Target 1 Nighthawk X4S

First Try • Download Firmware • binwalk to extract squash
ﬁlesystem • Grab some cgi from /www to feed • Pwn it and proﬁt !

Preauth CGIs? Only two are real cgi …

RMT_invite.cgi It calls another binary: proccgi … and It’s open
sourced !

proccgi from 1997 A bigger attack surface? we just got
nothing…

Second Try • the HTTP Server • Pwn it and
proﬁt !

/usr/sbin/uhttpd • It’s open sourced too ! • Call net-cgi
to process cgi requests

/usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled

/usr/sbin/net-cgi • Found a command injection ! • device_uuid is
created from User-Agent and IP Address

/usr/sbin/net-cgi • Found a command injection ! • But it’s
also ﬁltered out… • Only alphanumeric allowed

/usr/sbin/net-cgi • Found another buffer overflow ! • Keep reading
until space / tab / new line • But it’s just an overflow on global variable …

/usr/sbin/net-cgi • Exploit chain ! • Overwrite device_uuid in .bss
after ﬁltered

/usr/sbin/net-cgi • So now command injection works • No space
/ tab available? use ${IFS} http://[ip]/FW_log.htm?/ %20timestamp=[A*504];sleep${IFS}10;

But how do we test our exploit…?

PChome 24h ! but we’re in Japan…

Exploit • Write to stdout didn’t work : ( •
Write output to a ﬁle and copy it to webroot • Access the output ﬁle curl http://[ip]/FW_log.htm?%20timestamp= [A * 504];[cmd]|tee${IFS}/www/out.js;

Report • NETGEAR told me it’s duplicated after 2 weeks
(╯‵□′)╯︵ ┴─┴

Target 2 Nighthawk X8 (比我們在⽇日本煎的⽜牛排還貴)

Nighthawk X8 • Nothing interesting in cgi ﬁles too •
Diﬀerent HTTP Server from X4S • Most of cgi requests handled by httpd

/usr/sbin/httpd ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),
dynamically linked Only NX enabled

/usr/sbin/httpd • It’s boring on plane …   so I
found a stack overﬂow • A strcpy from QUERY_STRING • How do we get here?

Stack overﬂow • Triggered if url starts with /shares •
But we could only access /shares from LAN

Stack overﬂow • Triggered if url starts with /shares •
But we could only access /shares from LAN … really ?

Stack overﬂow • The check is only strncmp with  
“GET /shares” • Bypass by sending “HEAD /shares”  or something like “XXXX /shares”

Stack overﬂow • So now we can crash the HTTP
Server • Let’s try to control PC !

Control the PC • No url decode • curl /
requests doesn’t support unprintable url • But it’s https … • Send raw https requests

But how do I test my exploit…? Can I have
a debug environment ?

Debug • There’re no ssh / telnet features … •
We need other ways to debug !

So I found another command injection • device_name in lan.cgi
handler

Now let’s see if we’ve controlled the PC • dmesg
doesn’t work : ( • Found some useful gadgets system(“echo Kernel crash >> /tmp/info.txt”) • Read /tmp/info.txt to check if PC controlled

Now we controlled the PC But where to jump …
?

Exploit • Stack overﬂow caused by strcpy • We can
only use one gadget • It’s not CTF, system(“/bin/sh”) doesn’t work • We need some magic gadgets !

So I and found this : acosNvramConfig_set(“http_passwd”, “”); acosNvramConfig_save(); •
So we can set the login password to empty !

After server restarted, we can login without auth

Exploit • Combined above 2 bugs • We can bypass
auth and execute command with root privilege !

Report • Got $1500 bounty after 2 months ヽ(✿ﾟ▽ﾟ)ノ

Conclusion • 貴的產品不⼀一定安全 • Bug Bounty 對於提升產品安全還是挺有幫助的 • 簡單的洞洞⼈人⼈人能挖，越猥瑣的思路路越不容易易撞 •
有看有機會，⼤大家沒事就⼀一起來來挖挖吧

NETGEAR Bug Bounty

NETGEAR Bug Bounty

More Decks by Lays

Other Decks in Research

Featured

Transcript