![]() ![]() The rather unique “PNPX_GetShareFolderList” string makes searching for the same vulnerability across the firmware of different devices easier. ZDI-20-1451 was the more apparent of the two vulnerabilities when inspected in the researcher’s decompiled code. However, goto statements, de Morgan’s Law, and lack of variable names can often obscure the logic of vulnerabilities in decompiled code. When approached from the black box RE side, what you see is what the CPU sees. Naturally, the anonymous researcher chose to take advantage of the no_check_passwd_paths array that is not wrapped in any preprocessor directive to proceed with exploitation. Writing a script to look for the vulnerable source code pattern of ZDI-20-1176 is therefore a more reliable way to find exploitable firmware when working with GPL source code. In fact, this code was indeed not compiled into the firmware for the NETGEAR R6120 wireless router. It is possible that the vulnerable code is not compiled into the final firmware. When approached from the white box side, it is hard to tell if the PNPX directive was defined at compile time. The vulnerable code for ZDI-20-1451 is wrapped within an #ifdef PNPX preprocessor directive. ![]() The following snippet shows how the no_check_passwd_paths array of strings is defined: When set to 0, the authentication will be skipped. The need_auth variable does exactly what it advertises. If either of the conditions are met, the need_auth variable is set to 0. The if-statement also checks if the path variable contains the substring “PNPX_GetShareFolderList”. This is defined at line 409 with path_exists() (defined in sc_util.c). Things become interesting starting from line 2106, where the multi-condition if-statement first checks if the path matches one of the strings in array no_check_passwd_paths. The rest of the request line is stored in the variable named path at line 1611 and the function continues to process the request path and the request. The handle_request() function then proceeds to use strpbrk() to separate the HTTP request method from the request line. ![]() The function first initializes some variables and proceeds to read in the request line of an HTTP request from the socket at line 1608 using the helper function get_request_line(). The vulnerabilities reside in the code bolted on by NETGEAR and therefore do not affect the upstream open-source web server. If you also want to poke around, you can find the firmware from the vendor website.īased on the firmware source code, we can tell the webserver is based on version 1.24 of the mini_httpd open-source project. In this blog post, we’ll analyze GPL firmware version 1.0.0.72 of the NETGEAR R6120 router. These two vulnerabilities can be understood in the most straightforward fashion by analyzing the GPL release of the firmware provided by NETGEAR. Thanks to the requirements of the GNU General Public License (GPL), NETGEAR has published the source code of their firmware. Because of this, it is interesting to compare and contrast how these researchers approached the same problem and to speculate how they reached the final goal of a viable exploit through different paths. However, the two researchers identified the same vulnerabilities in two different groups of routers, and each researcher exploited the vulnerabilities differently. Both of the vulnerabilities share a similar root cause and are located very closely to one another. These vulnerabilities were discovered by an anonymous researcher and the researcher known as 1sd3d (Viettel Cyber Security) respectively. Both of the vulnerabilities resided in the mini_httpd webserver. Last year, we disclosed two authentication bypass vulnerabilities, ZDI-20-1176 (ZDI-CAN-10754) and ZDI-20-1451 (ZDI-CAN-11355), affecting multiple NETGEAR products. ![]()
0 Comments
Leave a Reply. |