A major vulnerability in several Netgear routers allowed remote attackers to commit command injection attacks on...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
these devices. The attacks involved tricking victims using Netgear routers into visiting a malicious link -- but how can a bad link infect the actual router? How does this command injection attack work?
A security researcher took advantage of a major vulnerability in several high-end Netgear routers to show how command injection attacks were possible on the R8000, R7000 and R6400 models, as well as others.
The vulnerability involved how these routers implemented web servers, and it allowed users to inject commands into the devices without any authentication or authorization. Victims could be lured into clicking a malicious link on highly privileged commands. The link infected their routers in varying degrees; the malicious link first infected a client device, and then spread to the router to which the device was connected. The worst possible scenario enabled shred command injections into the HTML source of a webpage.
Upon execution, this command deletes all of the files in the server. With no files to work with, the router stops functioning. Another injection favorite of attackers is the "killall" command, which is used to terminate all processes. Victims will likely discover too late that their router is no longer able to receive incoming commands from the web server or to send outgoing commands to the server.
The Netgear vulnerability was patched soon after the exploit was made public, and Netgear released beta firmware updates for the affected routers. US-CERT also issued a temporary fix to allow users to continue the use of their routers in case the firmware didn't update properly.
An ethical hacker could exploit the vulnerability by issuing a "safe" command that halts all incoming commands from the router's web server. For example, you could inject in the web address "http://[router-address/cgi-bin/;killall$IFS'httpd'." The router address is the local IP address assigned to your router. The killall command terminates only the processes associated with the HTTP daemon that runs in the background of a web server and waits for the incoming server requests. You would need to reboot the router for the fix to take effect. This would enable you to send outgoing server requests.
You can also create a link to "ethical" command injections in the HTML source of a webpage to save time typing in the web address.
Read more on securing remote admin service for wireless routers
Find out how to address the Equation Group vulnerabilities
Discover the best ways to mitigate wireless router security issues
Dig Deeper on Wireless network security
Related Q&A from Judith Myerson
A patch was issued for the Dirty COW vulnerability, but researchers later discovered problems with the patch. Expert Judith Myerson explains what ...continue reading
Getting firewall settings right is one of the most basic ways to protect enterprise data from accidental exposures. Expert Judith Myerson discusses ...continue reading
Expert Judith Myerson explains how IP theft can happen despite the cryptographic protections in IEEE standard P1735, as well as what can be done to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.