Automated Repair of Exploits in NETGEAR Router Binary
TeX Common Lisp Shell Emacs Lisp C CSS
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
bin
etc
overlays
pub
src
stuff
.gitignore
DEMO
INSTRUCTIONS
NOTES
README
netgear-repair.asd

README

        Automated Repair of Exploits in NETGEAR Router Binary

NETGEAR's WNDR3700 [1] is a very popular wireless router.  Version 4
of the WNDR3700 contains exploits allowing unauthenticated users to
change administrative options and completely disable authentication
across reboots (see [2] for a full description of the exploits).

We fixed these exploits using a method of automated program repair
which operates directly on binary ELF files and requires no access to
source code [3].  This fix was found before NETGEAR addressed these
exploits---to my knowledge NETGEAR has not yet patched these exploits
in the latest release of the firmware 1.0.1.42 as of 2013-11-19.

The exploits exist in the WNDR3700's web interface.  A single ELF
executable CGI file serves this interface and applies configuration
changes made using the interface to the router.  Using copies of the
NETGEAR firmware running in virtual machines to evaluate the fitness
of candidate repairs, our technique discovered changes to this ELF
file which patch the exploits described in [2].

This repository contains the instructions, code, and tooling used to
develop this repair.  These tools may be used to automatically change
the behavior other binary ELF executables, making it possible to fix
customize and alter binaries executables without any aid from the
software's developer.

An article describing the exploit, the repair technique, its
application, and the repairs found is available at [4] and will appear
in the Genetic Improvement workshop of GECCO 2015 [5].  Please cite
this article using the following bibtex [6].  Step by step
instructions to reproduce this repair are given in INSTRUCTIONS.

Thanks to Zachary Cutlip for help reproducing these exploits in a VM.

Footnotes:
[1]  http://www.netgear.com/home/products/networking/wifi-routers/wndr3700.aspx

[2]  http://shadow-file.blogspot.com/2013/10/complete-persistent-compromise-of.html

[3]  http://cs.unm.edu/~eschulte/data/schulte2013embedded.pdf

[4]  http://eschulte.github.io/netgear-repair/pub/netgear-repair-preprint.pdf

[5]  http://geneticimprovement2015.com/

[6]  @InProceedings{schulte2015netgear,
       author       = {Eric Schulte and Westley Weimer and Stephanie Forrest},
       title        = {Repairing COTS Router Firmware without Access to Source
                       Code or Test Suites: A Case Study in Evolutionary Software
                       Repair},
       booktitle    = {GECCO'15: 2015 Genetic and Evolutionary Computation
                       Conference Companion Proceedings},
       year         = 2015,
       editor       = {William B. Langdon and Justyna Petke and David R. White},
       address      = {Madrid},
       publisher_address = {New York, NY, USA},
       month        = {11-15 July},
       organization = {SIGEvo},
       publisher    = {ACM},
       keywords     = {genetic algorithms, genetic programming, Genetic
                       Improvement},
       notes        = {gismo http://geneticimprovement2015.com/}
     }