Exploiter: Netgear Nighthawk RAX30 – Embedded Computing Design
September 18, 2023
Claroty’s Crew 82 participated with the aim of compromising the Netgear Nighthawk RAX30 router. What they discovered is that when exploited, an attacker may monitor your actions, compromise communications, ship you to malicious websites, or embed malware into your ecosystem. With all of the gathered knowledge, it wasn’t lengthy till the crew found a vulnerability that was simple to seek out, however tough to use.
Picture credit score: Clarote 82 Crew
The vulnerability was present in a SOAP serving course of operating on port 5000, a protocol that manages SOAP messages concerning the method within the connected LAN. In accordance with Crew 82, “The vulnerability we found was a stack-based buffer overflow. Exploiting this class of vulnerabilities is usually trivial when there isn’t a stack safety.
Routers use stacked canaries that assist and safe buffer overflow assaults. A canary is a small worth positioned on the stack to observe violations earlier than the operate returns. If a bug is discovered, this system should self-terminate to save lots of any additional destruction of the community.
- Search for one other vulnerability that would trigger the canary to leak reminiscence
- Brute drive canary (that is solely potential in particular instances)
- Overflow the canary “logically”: do one thing with the overflow earlier than checking the canary
The crew logically selected to bypass the Canaries. The devoted server, “soap_serverd”, runs on ports 5000 (HTTP) and 5043 (HTTPS) and acts as a SOAP-based API for router features. If the API is compromised, a nefarious actor could possibly tamper with system information. integrity.
The principle use of the server is the NETGEAR Nighthawk app for iOS and Android. Crew 82 uncovered over 180 server vulnerabilities, categorised into totally different classes together with:
- Person OptionsTC
- System data
- Configure the wi-fi community
- System configuration
- Parental surveillance
The next CVEs are finest when utilized in mixture, and proper use will allow distant code execution for pre-authentication.
- CVE-2023-27357 Lacking Authentication Data Disclosure Vulnerability for NETGEAR RAX30 GetInfo
- CVE-2023-27368: NETGEAR RAX30 Soap_serverd stack-based buffer overflow vulnerability
- CVE-2023-27369: NETGEAR RAX30 Soap_serverd stack-based buffer overflow vulnerability
- CVE-2023-27370: Utilizing Soap_serverd auth Bypass to reset admin password
- CVE-2023-27367: Bypass authentication to RCE utilizing Magic telnet and Command Engine