The Shadow File

A Secret Passage to Persistant SOHO Router Pwnage Almost two years ago plus a house selling, a cross-country move, a house buying, a job change, and a wedding, I downloaded and unpacked the firmware for Netgear’s then-new R6200 wireless router. This was one of Netgear’s first entries into the nascent 802.11ac market. At around US$200 at the time, this device was at the high end of the Netgear lineup. Finding some cool vulnerabilities in some of the newest, swankiest, consumer WiFi gear would make for a neat paper, or at least a good blog post or two.

Need to reverse engineer or exploit a file upload vulnerability in an embedded web server? I added a multipart/form-data class to Bowcaster to help with that. You can have a look here: https://github.com/zcutlip/bowcaster/blob/master/src/bowcaster/clients/http.py Here’s some background: I’ve been reverse engineering how the Netgear R6200 web server parses a new firmware image when you use the firmware update facility in the web interface. Manually browsing to the router’s web interface, then to the firmware update form, then browsing to a firmware file on disk, then clicking “upload” gets really tedious after a few times.

Previously I posted about running and remotely debugging a Netgear UPnP daemon using QEMU and IDA Pro. This time we’ll take on the challenge of running the built-in web server from the Netgear R6200 in emulation. The httpd daemon is responsible for so much more than the web interface. This daemon is responsible for a silly amount of system management, including configuring firewall rules, managing the samba and ftp file servers, managing attached USB storage, and many other things.

It’s often the case, when analyzing an embedded device’s firmware, that static analysis isn’t enough. You need to actually execute a binary you’re analyzing in order to see how it behaves. In the world of embedded Linux devices, it’s often fairly easy to put a debugger on the target hardware for debugging. However it’s a lot more convenient if you can run the binary right on your own system and not have to drag hardware around to do your analysis.

A few years ago, when I worked for my previous employer, I put together a proof-of-concept that was to be part of a client demo. I thought it was kind of cool, so I recorded a screencast of it in action. I’ve had the video sitting on my laptop ever since, not really sure what to do with it. I finally decided to post it. In the video, what you see is a custom exploit script that exploits a buffer overflow in the web interfaces of several D-Link webcams.

Here are some additional resources I may have mentioned in my Infiltrate 2014 presentation. White Paper: SQL Injection to MIPS Overflows - Part Deux Slides: SQL Injection to MIPS Overflows - Part Deux Original white paper from Black Hat USA 2012: SQL Injections to MIPS Overflows: Rooting SOHO Routers Proof of Concept Exploit code: Here’s my Github repository for proof-of-concept exploit code. In it, you’ll find the exploit code for the Netgear WNDR 3700v3 that I demoed at Infiltrate, among a few others.

A grad student emailed me in response to my Netgear auth bypass post. He’s working on a research project and wanted to know if I knew of any resources or techniques to use emulation for executing and debugging the net-cgi binary in the Netgear firmware. It turns out I’ve got all the resources to do just that. I replied with a description of my workspace and some links to resources I use, and, in many cases, have developed.

For my presentation at BayThreat, entitled “BT Wireless Routers: Adventures in Reversing and Exploiting”, rather than have one or two or three slides packed with hard to read URLs, I included a single slide with a link to this post. Here you’ll find links to additional resources that I may have referenced in my talk. White paper: Reverse Engineering and Exploiting the BT HomeHub 3.0b (pdf) Slides: BT Wireless Routers: Adventures in Reversing and Exploiting

At the end of my post on the Netgear wndr3700v4’s authentication bugs, I said to expect followup posts. Once the web interface is unlocked, any further bugs that normally require authentication become fair game. Well good news, everyone!! Previously, I talked about the net-cgi executable in the wndr3700’s firmware. ;net-cgi is a multi-call binary, a little like busybox. As such it has a lot of functionality baked in. One of its more interesting functions is called cmd_ping6().

UPDATE: Turns out, Jacob Holocomb (@rootHak42 on Twitter) of Independent Security Evaluators found this bug back in April on a different device, the WNDR4700. Thanks for letting me know, Jacob. Nice find. Here’s a link to that report. UPDATE 2: Because there are almost certainly fools who would go hack somebody’s router and say I told them to do it, I added a warning to not do this. DON’T DO IT.