NETGEAR Bug Bounty

Transcript

1. Lays @ HITCON CTF Team / 2017. May

2. 故事是這樣 der

3. SECCON CTF in Japan 2017 年年初

4. CTF 就不說了了 ⼤大家都比我懂

5. ⼤大老遠跑來來⽇日本 好像該做點有意義的事

6. 於是我們買了了⽜牛排來來煎。

7. 飽暖思淫慾 難得⼤大家都在⽇日本 有⼈人提議 ⼀一起來來挖洞洞洞洞(?)吧

8. 組隊玩 Bug Bounty 或許可以有些新思路路

9. NETGEAR on bugcrowd

10. None
11. None

12. Target 1 Nighthawk X4S

13. First Try • Download Firmware • binwalk to extract squash

    filesystem • Grab some cgi from /www to feed • Pwn it and profit !

14. First Try • Download Firmware • binwalk to extract squash

    filesystem • Grab some cgi from /www to feed • Pwn it and profit !

15. Preauth CGIs? Only two are real cgi …

16. RMT_invite.cgi It calls another binary: proccgi … and It’s open

    sourced !

17. proccgi from 1997 A bigger attack surface? we just got

    nothing…

18. Second Try • the HTTP Server • Pwn it and

    profit !

19. /usr/sbin/uhttpd • It’s open sourced too ! • Call net-cgi

    to process cgi requests

20. /usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),

    dynamically linked Only NX enabled

21. /usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),

    dynamically linked Only NX enabled

22. /usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),

    dynamically linked Only NX enabled

23. /usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),

    dynamically linked Only NX enabled

24. /usr/sbin/net-cgi ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),

    dynamically linked Only NX enabled

25. /usr/sbin/net-cgi • Found a command injection ! • device_uuid is

    created from User-Agent and IP Address

26. /usr/sbin/net-cgi • Found a command injection ! • But it’s

    also filtered out… • Only alphanumeric allowed

27. /usr/sbin/net-cgi • Found another buffer overflow ! • Keep reading

    until space / tab / new line • But it’s just an overflow on global variable …

28. /usr/sbin/net-cgi • Exploit chain ! • Overwrite device_uuid in .bss

    after filtered

29. /usr/sbin/net-cgi • So now command injection works • No space

    / tab available? use ${IFS} http://[ip]/FW_log.htm?/ %20timestamp=[A*504];sleep${IFS}10;

30. But how do we test our exploit…?

31. PChome 24h ! but we’re in Japan…

32. None

33. Exploit • Write to stdout didn’t work : ( •

    Write output to a file and copy it to webroot • Access the output file curl http://[ip]/FW_log.htm?%20timestamp= [A * 504];[cmd]|tee${IFS}/www/out.js;

34. Report • NETGEAR told me it’s duplicated after 2 weeks

    (╯‵□′)╯︵ ┴─┴

35. Target 2 Nighthawk X8 (比我們在⽇日本煎的⽜牛排還貴)

36. Nighthawk X8 • Nothing interesting in cgi files too •

    Different HTTP Server from X4S • Most of cgi requests handled by httpd

37. /usr/sbin/httpd ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV),

    dynamically linked Only NX enabled

38. /usr/sbin/httpd • It’s boring on plane … 
 so I

    found a stack overflow • A strcpy from QUERY_STRING • How do we get here?

39. Stack overflow • Triggered if url starts with /shares •

    But we could only access /shares from LAN

40. Stack overflow • Triggered if url starts with /shares •

    But we could only access /shares from LAN … really ?

41. Stack overflow • The check is only strncmp with 


    “GET /shares” • Bypass by sending “HEAD /shares”
 or something like “XXXX /shares”

42. Stack overflow • So now we can crash the HTTP

    Server • Let’s try to control PC !

43. Control the PC • No url decode • curl /

    requests doesn’t support unprintable url • But it’s https … • Send raw https requests

44. But how do I test my exploit…? Can I have

    a debug environment ?

45. Debug • There’re no ssh / telnet features … •

    We need other ways to debug !

46. So I found another command injection • device_name in lan.cgi

    handler

47. So I found another command injection • device_name in lan.cgi

    handler

48. Now let’s see if we’ve controlled the PC • dmesg

    doesn’t work : ( • Found some useful gadgets system(“echo Kernel crash >> /tmp/info.txt”) • Read /tmp/info.txt to check if PC controlled

49. Now we controlled the PC But where to jump …

    ?

50. Exploit • Stack overflow caused by strcpy • We can

    only use one gadget • It’s not CTF, system(“/bin/sh”) doesn’t work • We need some magic gadgets !

51. So I and found this : acosNvramConfig_set(“http_passwd”, “”); acosNvramConfig_save(); •

    So we can set the login password to empty !

52. After server restarted, we can login without auth

53. Exploit • Combined above 2 bugs • We can bypass

    auth and execute command with root privilege !

54. Report • Got $1500 bounty after 2 months ヽ(✿ﾟ▽ﾟ)ノ

55. Conclusion • 貴的產品不⼀一定安全 • Bug Bounty 對於提升產品安全還是挺有幫助的 • 簡單的洞洞⼈人⼈人能挖，越猥瑣的思路路越不容易易撞 •

    有看有機會，⼤大家沒事就⼀一起來來挖挖吧