Netgear Authentication Bypass Allows Router Takeover!

Microsoft researchers discovered the firmware flaws in the DGN-2200v1 series router that can enable authentication bypass to take over devices & access stored credentials.

Netgear has patched 3 bugs in one of its router families that, if exploited, can allow threat players to bypass authentication to breach corporate networks & steal data and credentials.

Device Fingerprinting

Microsoft security researchers found the bugs in Netgear DGN-2200v1 series routers while they were researching device fingerprinting, Microsoft 365 Defender research team’s Jonathan Bar Or stated in a blog post, posted Wed.

“We noticed a very odd behaviour: A device owned by a non-IT personnel was trying to access a Netgear DGN-2200v1 router’s management port,” researchers wrote.

Researchers investigated & eventually identified the vulnerabilities, tracked as PSV-2020-0363, PSV-2020-0364 & PSV-2020-0365 by Netgear (CVEs were not issued), & which range in CVSS rating from high (7.4) to critical (9.4). They reported their discovery to Netgear, which has released a security advisory patching the flaws.

Management Pages

An attacker can exploit the flaws to breach a router’s management pages without having to log in, & take over the router, as well as use a cryptographic side-channel attack to acquire the router’s saved credentials, Bar wrote.

Full exploitation of the vulnerabilities “can compromise a network’s security — opening the gates for attackers to roam untethered through an entire organisation,” he wrote.

Static Analysis

Researchers downloaded the firmware for the device in question from Netgear’s website to explore why there was a random device trying to connect with the router’s management port.

They observed that the anomalous communication used the standard port that HTTPd serves, so they chose to focus there to see where the problem might lie.

Researchers performed a static analysis of the HTTPd binary & dynamic analysis by running QEMU, an open-source emulator, among other tests to explore the issue, they stated.

Eventually, while examining how HTTPd dictates which pages should be served without authentication, they found some “pseudo code” as the 1st page handling code inside HTTPd, automatically approving certain pages such as “form.css“ or “func.js.”

Access Any Page

This in & of itself would not be a problem, Bar wrote, except “Netgear decided to use ‘strstr‘ to check if a page has .JPG, .GIF or ‘ess_’ substrings, trying to match the entire URL,” he explained.

This meant that researchers could access any page on the device, including those requiring authentication, “by appending a GET variable with the relevant substring (like ‘?.GIF”),” he wrote.

Bar used the example “hxxps://10[.]0[.]138/WAN_wan.htm?pic.gif” to demonstrate how researchers achieved “a complete & fully reliable authentication bypass.” In this way, researchers achieved “complete control over the router,” he outlined.

Exploring Router Authentication

Researchers decided to dive even deeper to see how the authentication was implemented, finding that router credentials also could be gained using a side-channel attack, they observed.

Moreover, they went on to use the 1st authentication-bypass vulnerability to see if they could recover the username & password used by the router by another existing weakness, focusing on the device’s backup & restore feature. By reverse-engineering the functionality, they found that they could, Bar wrote.

“After some preparatory steps, the contents are DES-encrypted with a constant key ‘NtgrBak,’” he wrote. “This allows an attacker to get the plaintext password (which is stored in the encrypted NVRAM) remotely. The user-name, which can very well be variations of ‘admin,’ can be retrieved the same way.”

Endpoint Discovery Service

“With this research, we have shown how a simple anomalous connection to a router, found through the endpoint discovery service, drove us to find several vulnerabilities on a popular router,” Bar wrote in the post.

“Routers are integral to networking, so it is important to secure the programs supporting its functions.”

Authentication Flaws

The vulnerabilities are not the 1st time Netgear routers have had authentication flaws, allowing attackers to use them as an entry point into the wider network.

About a year ago researchers discovered an unpatched zero-day vulnerability in firmware that put 79 Netgear device models at risk for full takeover. Moreover, the company chose to leave 45 of those models unpatched because they were outdated or had reached their end of life.

https://www.cybernewsgroup.co.uk/virtual-conference-july-2021/