Vulnerability in Netgear and other home Routers

[ipeefreely]

Vulnerability Prompts Warning: Stop Using Netgear WiFi Routers

"By convincing a user to visit a specially crafted web site, a remote attacker may execute arbitrary commands with root privileges on affected routers," warns a new vulnerability notice from Carnegie Mellon University's CERT. ...

Security Advisory for VU 582384, PSV-2016-0245

NETGEAR is aware of the security issue #582384 that allows unauthenticated web pages to pass form input directly to the command-line interface. A remote attacker can potentially inject arbitrary commands which are then executed by the system.

NETGEAR has tested the following products and confirmed that they are vulnerable: All products followed by a single asterisk (*) have beta firmware fixes available. All products followed by three asterisks (***) have production firmware fixes available.

R6250* R6400*** R6700* R6900* R7000*** R7100LG* R7300DST* R7900* R8000*** D6220* D6400*
The D7000 was previously included in a list of models that were affected by this security vulnerability. However, NETGEAR has tested and confirmed that the D7000 is not affected by this command injection vulnerability.

R7000 Nighthawk is pretty popular here... prod fix firmware came out yesterday.

[roopi]

Thanks for the share.

[rage2]

http://arstechnica.com/security/2016...isement-blitz/

Another router attack. This one affects not just Netgear, tons of brands are affected. If you have a default or weak password on your router, it's also vulnerable. The shitty thing about this one is that it's served through legitimate ad networks, so no user intervention is necessary to get exploited.

Upgrade your firmwares, set a strong password, and cross your fingers.

Once your DNS is hijacked, the attackers can easily spoof legitimate services on the other end to phish your credentials. Serious business.

[Mitsu3000gt]

Good reminder thread - it's amazing how many people don't even know their routers have firmware, let alone to go looking for updates. I check every couple days or so and thankfully am up to date.

[Xtrema]

Originally posted by rage2
http://arstechnica.com/security/2016...isement-blitz/

Another router attack. This one affects not just Netgear, tons of brands are affected. If you have a default or weak password on your router, it's also vulnerable. The shitty thing about this one is that it's served through legitimate ad networks, so no user intervention is necessary to get exploited.

Upgrade your firmwares, set a strong password, and cross your fingers.

Once your DNS is hijacked, the attackers can easily spoof legitimate services on the other end to phish your credentials. Serious business.

This is one of the reason why I run my own DNS with it's forwarder to 8.8.8.8.

I never trust the one on router or Shaw.

[rage2]

Originally posted by Xtrema
This is one of the reason why I run my own DNS with it's forwarder to 8.8.8.8.

I never trust the one on router or Shaw.

That won't make a difference. You would still be vulnerable. It's forcing your clients to use their DNS server, multiple ways of doing that. Easy way is to just push their DNS server IPs through DHCP. More difficult and impossible to bypass way is to filter all DNS requests and proxy it to their servers. So even if you point to 8.8.8.8 or your own server which makes requests through 8.8.8.8 or uses root hints to figure things out, it'll still be going to their attack DNS server without your knowledge.

What I'm interested in knowing is how the hell are they stuffing code in image metadata and having the browser execute it. Surely that should be a vulnerability that needs to be closed.

[sabad66]

Originally posted by rage2

That won't make a difference. You would still be vulnerable. It's forcing your clients to use their DNS server, multiple ways of doing that. Easy way is to just push their DNS server IPs through DHCP. More difficult and impossible to bypass way is to filter all DNS requests and proxy it to their servers. So even if you point to 8.8.8.8 or your own server which makes requests through 8.8.8.8 or uses root hints to figure things out, it'll still be going to their attack DNS server without your knowledge.

What I'm interested in knowing is how the hell are they stuffing code in image metadata and having the browser execute it. Surely that should be a vulnerability that needs to be closed.

Couldnt you enter your own DNS server into the OS settings instead of getting it from router/isp dhcp? I think you can set windows up to get IP from dhcp while setting your own dns servers

[adam c]

Originally posted by sabad66

Couldnt you enter your own DNS server into the OS settings instead of getting it from router/isp dhcp? I think you can set windows up to get IP from dhcp while setting your own dns servers

Dns is a protocol not just a number you program into a device, by forcing all dns traffic to a certain server it doesn't matter how your settings are configured

[googe]

Originally posted by rage2

What I'm interested in knowing is how the hell are they stuffing code in image metadata and having the browser execute it. Surely that should be a vulnerability that needs to be closed.

They aren't, bad reporting.

The problem is that most Ad networks have this fucked up idea that advertisers should be allowed to upload HTML/JS ads. So attackers buy malicious ads, and the JS that they supply is now running in your browser when you visit a legitimate site with ads on it.

In this case, to make sure that their malicious JS didn't get detected by the ad network's laughably weak filters that try to detect shady looking scripts, they obfuscate it and put the bad javascript into PNG metadata, and shipped a stub JS snippet that parses that out of a PNG also delivered on the page, then just loads and executes it as a new script on the fly. So if you just look/scan at the JS, you don't see the malicious part.

The payload that it pulls out just uses your browser to start sending requests to known or probable router IPs like 192.168.1.1 and use default login/passwords, command injection, or CSRF to change your settings. They made a list of 200 or so routers and attacks for them and it just tries to find one that works.

The worse ones use a JS browser exploit or flash exploit directly, followed by a kernel exploit to elevate privileges, then ransomware your PC.

So as far as the conventional wisdom goes regarding not visiting shady websites and your browser is safe, that's out the window. It doesn't matter what kind of sites you visit anymore, as long as you hit a site with ads that are delivered as javascript, you're at risk.

[The_Rural_Juror]

Thanks for the post. I was not aware of this and own one of the affected routers.

[rage2]

Thanks googe. Perfect explanation. Wish I had more time these days to research the actual details.

So really the only solution is to sandbox the browser completely. I guess it makes sense why MS is moving Edge into its own VM to isolate things even more, at the expense of usability.