VerSprite Finds Vulnerability in NETGEAR Nighthawk WiFi Router
NETGEAR Router’s Networking Software, QUAGGA, Leaves Users Vulnerable to Attack
VerSprite’s Security Research team found a vulnerability within NETGEAR’s Nighthawk WiFi Router line. This vulnerability is considered high-risk and should be patched using the instructions on the vendor’s website.
NETGEAR Vulnerability Analysis
VerSprite’s VS-Labs Security Research team found a High-Risk vulnerability affecting NETGEAR Nighthawk 4-Stream Dual-Band WiFi 6 Router (Models RAX35, RAX38, RAX40), that could leave consumer’s data unprotected against attacks via the Local Area Network (LAN). NETGEAR is a computer networking company that produces networking hardware for consumers and businesses worldwide. This means their vast attack surface has the potential to leave an untold number of consumers exposed. Notably, as of May 19, 2021, NETGEAR released a set of security updates. The latest available firmware for the NETGEAR Nighthawk line is 184.108.40.206 and can be downloaded directly from the NETGEAR website.
VS-Labs researchers found this vulnerability within a default configuration file of the third-party networking software, QUAGGA, that is utilized by the ZEBRA daemon. The default configuration uses an automatically generated password (zebra) for authentication to the privileged ZEBRA daemon via local port “2601” over telnet. Attackers who abuse the vulnerability can chain the vulnerability of initial access to another vulnerability within the actual ZEBRA daemon to achieve a controlled read of any file on the device.
Throughout this vulnerability analysis report, you will see the VS-Labs Security Research team’s analysis on how they uncovered the NETGEAR vulnerability within the privileged third-party networking suite, QUAGGA. This is a high-risk vulnerability that give attackers the ability to leak consumer data and potentially control network routing information from the Local Area Network (LAN). If you or your organization use these routers, use the instructions and link in the Conclusion section to get the patch.
QUAGGA and ZEBRA Daemon Analysis
At its core, QUAGGA is a network routing software suite that supports many different protocols such as OSPF, RIP, and BGP. QUAGGA is utilized to modify, change, and add new interface/routing table configurations to a device. Access to these core functions is what makes QUAGGA enticing to a malicious actor.
Within QUAGGA, the ZEBRA daemon is an appealing attack surface because the daemon exposes an active telnet session via port
2601. This telnet session is wrapped within a VTY shell, where attackers have a large array of potential abuse cases.
Along with exposing an active telnet session, ZEBRA maintains a configuration file that is normally located on disk at the fold location,
/etc/quagga/zebra.conf. This file is the configuration file that is feed into the ZEBRA daemon, and it also holds information such as the password for authentication to the ZEBRA telnet port exposed on port
2601. An example of the contents within a ZEBRA configuration file is below.
ZEBRA Configuration Password Example [email protected]:~/squashfs-root$ cat ./etc/quagga/zebra.conf password zebra
Examining the QUAGGA and ZEBRA Daemon Vulnerability in NETGEAR’s Nighthawk
VS-Labs researchers performed a simple port scan of a network and looked at all connected devices and see if any ports such as
2601are exposed. If this port is exposed, an attacker can use the normal “telnet” command to establish a telnet session to the ZEBRA daemon and is outlined in the column below.Initial ZEBRA Prompt [email protected]:/mnt/c/Users/VS-Labs$ telnet 10.0.0.1 2601 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. Hello, this is Quagga (version 0.99.20). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: example&amp;amp;amp;gt; [email protected]:/mnt/c/Users/VS-Labs$ telnet 10.0.0.1 2601 Trying 10.0.0.1... Connected to 10.0.0.1. Escape character is '^]'. Hello, this is Quagga (version 0.99.20). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: example&amp;amp;amp;gt;
Using the information outlined in the previous section, our research team discovered that the default password of
zebracould be located within an embedded device ZEBRA daemon configuration file. Using
zebrapresented a new terminal where the key
?will print out information about potential commands for our disposal.Default ZEBRA Terminal Commands Hello, this is Quagga (version 0.99.20). Copyright 1996-2005 Kunihiro Ishiguro, et al. User Access Verification Password: example&amp;amp;amp;gt; echo Echo a message back to the vty enable Turn on privileged mode command exit Exit current mode and down to previous mode help Description of the interactive help system list Print command list quit Exit current mode and down to previous mode show Show running system information terminal Set terminal line parameters who Display who is on vty example&amp;amp;amp;gt;
Enabling Privileged Mode Command on NETGEAR’s Nighthawk Router
When reviewing the default commands exposed upon authentication into the
ZEBRAtelnet session, a single command stands out the most. This command is
enable, and our research team found it interesting because it enables
privileged mode command.
When this command is executed, the terminal changes from a
>to a “#” character and a new list of commands are presented. These commands are included in the table below.Privileged mode; enabled example&amp;amp;amp;gt; enable example # clear Reset functions configure Configuration from vty interface copy Copy configuration debug Debugging functions (see also 'undebug') disable Turn off privileged mode command echo Echo a message back to the vty end End current mode and change to enable mode. exit Exit current mode and down to previous mode help Description of the interactive help system list Print command list logmsg Send a message to enabled logging destinations no Negate a command or set its defaults quit Exit current mode and down to previous mode show Show running system information terminal Set terminal line parameters who Display who is on vty write Write running configuration to memory, network, or terminal example #
When reviewing the new commands and the associated help text next to them, the
configurecommand was appealing to our researchers. They explored this option by entering the
configurecommand by itself. However, they were presented with the error below.Command Error: Configure example# configure % Command incomplete.
To fix this, our research team placed a
?key after they typed out
configure. This will tell the terminal to provide the available sub options for the command.
In this event, our team was presented with the
terminalsub option. Through entering
configure terminalin the terminal, the
configoption is selected, and new commands were presented. A variety of commands such as
bannerare available .
bannercommand is the most relevant command in scope for this blog post because an our team can abuse this command for a primitive when it comes to attacking embedded devices that use QUAGGA.
When reviewing the detailed information next to the
bannercommand, our research team needed to specify a specific type of banner string to be presented to the user in some manner. When navigating to this command and enumerating the sub options, the research team found an exposed sub option,
Exposing the MOTD
bannercommand exposes the sub option
motd, which is responsible for displaying the
Stringsfor the message of the day (motd). When enumerating this sub option, two more sub options are found, and they are either
file. When going through this process, the
filesub option looked more promising to our researchers as they could provide a
Banner from a fileto be displayed as the
motd. With their full command now entered, though could then provide a final
?key at the end and the terminal will display the syntax for executing this command, as seen in the table below.Setting /etc/passwd as the motd file RAX35(config)# banner motd file /etc/passwd RAX35(config)# exit
At this point, our researchers know they can modify the
motdusing any potential file on the device (if the ZEBRA daemon has permissions to read said file). Similarly, this is where things should start clicking as an attacker.
The entire idea behind the
motdis to provide a banner string to any user who tries to connect to the ZEBRA telnet session that is active on port 2601. An attacker who gets access to the ZEBRA telnet session could leak sensitive information from the device via this simple, yet subtle, bug in QUAGGA.
Finding the NETGEAR Vulnerability
Next is applying the knowledge gathered regarding QUAAGA’s ZEBRA daemon and the potential abuse case for the
banner motd filecommand to the NETGEAR Nighthawk Wifi Router line, Models RAX35, RAX38, and RAX40.
The VerSprite VS-Labs Research team found the initial discovery by performing a common port scan using
nmap. After discovering the open ports, initial research led to online resources describing what
ZEBRAwas and how to connect to the daemon via telnet. Our team found the configuration file located within
/etc/quagga/zebra.confby reading the documentation online.
Since they were looking at an embedded device, VS-Labs decided to pull down the latest online firmware and use
binwalkto extract the file system. After extracting the file system, they navigated to the ZEBRA configuration file and looked at the assigned password. As predicted, it was
Proof of Concept
The following table and screenshot demonstrate this vulnerability within QUAGGA’s ZEBRA
banner motd filecommand component and read the coveted
/etc/passwdfile from the device.
The image above shows the output of passing
banner motd filecommand, where it is clearly visible that upon connecting to the ZEBRA daemon, via port 2601, the contents of the
/etc/passwdfile are displayed to the attacker.
Conclusions and Patches
In today’s world, there is a continuous push for internet connectivity for consumers around the globe. Due to this demand, it is imperative for companies to ensure their devices are secure to protect the growing population using their products.
As shown by our researcher exploiting this vulnerability, using default passwords for privileged daemons, that are accessible via the LAN, can put consumers at risk. These privileged daemons provide attackers immense capabilities, such as being able to potentially control consumer traffic, rerouting them to malicious servers, or the power to read any file on the device, potentially harvesting consumers private information.
To combat these attacks, VerSprite’s VS-Labs Security Research team recommends consumers continuously monitor updates for their external internet-facing devices and apply them when necessary. This will help protect consumers from attacks where the initial foothold into a network is the router. If you use the Nighthawk router (Models RAX35, RAX38, RAX40), download the latest firmware version 220.127.116.11 directly from the NETGEAR website. If you think your network may have been compromised, contact our team to help at [email protected].
VerSprite Security Research Team
Maintain awareness regarding unknown threats to your products, technologies, and enterprise networks. Organizations that are willing to take the next step in proactively securing their flagship product or environment can leverage our zero-day vulnerability research offering. Our subscription-based capability provides your organization with immediate access to zero-day vulnerabilities affecting products and software. Learn More →
View our security advisories detailing vulnerabilities found in major products for MacOs, Windows, Android, and iOS.