Unauthenticated Remote Code Execution
SECURITY ADVISORYNetgear WNR2000v5UNAUTHENTICATEDREMOTE CODE EXECUTIONMAXIME PETERLIN23/05/2017CVE-2017-6862
Security AdvisoryCVE-2017-68621.SUMMARY1.1.CONTEXTThe WNR2000v5 is a SOHO router from Netgear. A web-based administration allows users to easilyconfigure most of the router’s parameters.1.2.PRODUCTS AND FIRMWARES AFFECTEDAffected devices: Netgear WNR2000v5 Netgear WNR2000v4 Netgear WNR2000v3 R2000Affected firmware versions: V1.0.0.34 Potentially versions prior to 1.0.0.34, but tests have not been conducted on these ones.1.3.DESCRIPTIONA vulnerable parameter in the web administration allows attackers to inject and execute arbitrarycode without authentication.1.4.IMPACTBy default, the web administration can only be accessed from the local network, which limits theimpact. But a user could change the router’s corresponding parameter and make it accessible fromthe WAN.If an attacker has access to the router web administration, he can take full control of the vulnerabledevice in a fast and reliable way. A successful exploitation could allow modification and monitoringof the traffic passing through the router. Users of the vulnerable routers could be spied on or havetheir credentials stolen, etc.At the end of 2016, according to Shodan, there were more than 10.000 devices vulnerable directlyaccessible from the Internet. The number of devices only accessible from LAN is unknown.1.5.MITIGATIONSUpdate the router to the newest firmware version (1.0.0.42 as of March 2017).23/05/20172/6
Security AdvisoryCVE-2017-68621.6.DISCLOSURE TIMELINEDATEEVENT16/12/2016First contact with the Netgear Security Team.Acknowledgement from Netgear.Security advisory sent to Netgear for review.Security advisory reviewed by Netgear.Security advisory 3/05/20173/6
Security AdvisoryCVE-2017-68622.TECHNICAL DETAILS2.1.VULNERABILITY DETAILSFigure 1 – The "timestamp" parameterThese routers let users access certain pages without authentication, such as unauth.cgi. One of theGET parameters processed by these pages, timestamp, allows unauthenticated users to exploit abuffer overflow to then execute arbitrary code on the device remotely.Figure 2 - Use of strcpy for the "timestamp" parameterThis parameter is copied into the BSS segment with the function strcpy without any check on its size.It is thus possible to overwrite the addresses in the .got segment to redirect the execution of theprocess. Every process runs as root, therefore no privilege escalation is required to take full controlof the router.2.2.PROOF OF CONCEPTThe following Python command can be used to trigger the buffer overflow:23/05/20174/6
Security AdvisoryCVE-2017-6862python -c "print \'GET /unauth.cgi%20timestamp ' 'A'*6700 \'\r\nHost: 192.168.0.1\r\n\r\n'"Figure 3 - Crash of the web server caused by a segmentation faultFigure 4 - State of the registers at the moment of the segmentation faultCode execution is indeed possible, but the sources for the proof of concept will not be disclosedby ON-X.Figure 5 - Remote code execution23/05/20175/6
Security AdvisoryCVE-2017-68623.REFERENCES NETGEAR, Security Advisory for Unauthenticated Remote Code Execution on Some Routers, tion-onSome-Routers-PSV-2016-0261 MITRE, cgi?name CVE-2017-686223/05/20176/6
The WNR2000v5 is a SOHO router from Netgear. A web-based administration allows users to easily configure most of the router’s parameters. 1.2. PRODUCTS AND FIRMWARES AFFECTED Affected devices: Netgear WNR2000v5 Netgear WNR2000v4 Netgear WNR2000v3 R2000 Affected firmware versions: V1.0.0.34
could be used to view data in a targeted database and perform other database functions Four flaws could be exploited that would allow remote code execution to escalate privileges on the server Several cross-site request forgery vulnerabilities were discovered Three were listed as unauthenticated information disclosure vulnerabilities
cpt code:11740-2 94.14 cpt code:11750-2 541.06 cpt code:11755-2 123.03 cpt code:11760-2 128.26 cpt code:11762-2 571.07 cpt code:11765-2 581.10 cpt code:11770-2 861.67 cpt code:11771-2 1,092.11 cpt code:11772-2 1,703.29 cpt code:11900-2 56.09 cpt code:11901-2 162.31 cpt code:11920-2 116.23 cpt code
cpt code:11740-2 88.80 cpt code:11750-2 510.36 cpt code:11755-2 116.05 cpt code:11760-2 120.98 cpt code:11762-2 538.68 cpt code:11765-2 548.14 cpt code:11770-2 812.78 cpt code:11771-2 1,030.15 cpt code:11772-2 1,606.65 cpt code:11900-2 52.91 cpt code:11901-2 153.10 cpt code:11920-2 109.63 cpt code
Winder, GA 30680 Paradigm Construction Company 770-867-4939 n/a ASAP TBD by Seller per code per code per code per code per code per code per code per code per code per code per code per code Angela Eavenson
VIZIO Universal Remote Control. With this Universal Remote, juggling multiple remote controls is a thing of the past! Your new remote controls up to 3 devices, including the most popular brands of TV, Blu-Ray, DVD, DVR, Cable, and more. Note: Some functions from your original remote may not be controlled by this remote. Use the original remote, if
Then, use the "remote desktop" software to “connect-in” to your shack PC. You “see” the shack desktop, and control the station, just like being there. 9 #3. Remote Desktop software There are many good free “Remote desktop“ programs (also called VNC): TeamViewer, Chrome Remote Desktop, Windows Remote Desktop, Splashtop,
Your new AT8560Ž AllTouch fi Universal Remote Control (remote) is a true universal remote, functioning as Þ ve remotes in one. As one example, you can use this remote to operate your TV, VCR, DVD player, set-top, and receiver. Important Information About Your Remote Your remote is initially programmed to only operate your set-top. The Volume .
Initial Counseling . If you are accidentally placed on guard, weekend duty, or special duties that contradict your team orders, it is incumbent upon you to let your chain of command know IMMEDIATELY so that they can find a replacement in time. If you do not inform them within 48 hours of the duty, it is your responsibility to find a replacement. ***A change from past years: Leadership .
