A major vulnerability in several Netgear routers allowed remote attackers to commit command injection attacks on...
these devices. The attacks involved tricking victims using Netgear routers into visiting a malicious link -- but how can a bad link infect the actual router? How does this command injection attack work?
A security researcher took advantage of a major vulnerability in several high-end Netgear routers to show how command injection attacks were possible on the R8000, R7000 and R6400 models, as well as others.
The vulnerability involved how these routers implemented web servers, and it allowed users to inject commands into the devices without any authentication or authorization. Victims could be lured into clicking a malicious link on highly privileged commands. The link infected their routers in varying degrees; the malicious link first infected a client device, and then spread to the router to which the device was connected. The worst possible scenario enabled shred command injections into the HTML source of a webpage.
Upon execution, this command deletes all of the files in the server. With no files to work with, the router stops functioning. Another injection favorite of attackers is the "killall" command, which is used to terminate all processes. Victims will likely discover too late that their router is no longer able to receive incoming commands from the web server or to send outgoing commands to the server.
The Netgear vulnerability was patched soon after the exploit was made public, and Netgear released beta firmware updates for the affected routers. US-CERT also issued a temporary fix to allow users to continue the use of their routers in case the firmware didn't update properly.
An ethical hacker could exploit the vulnerability by issuing a "safe" command that halts all incoming commands from the router's web server. For example, you could inject in the web address "http://[router-address/cgi-bin/;killall$IFS'httpd'." The router address is the local IP address assigned to your router. The killall command terminates only the processes associated with the HTTP daemon that runs in the background of a web server and waits for the incoming server requests. You would need to reboot the router for the fix to take effect. This would enable you to send outgoing server requests.
You can also create a link to "ethical" command injections in the HTML source of a webpage to save time typing in the web address.
Read more on securing remote admin service for wireless routers
Find out how to address the Equation Group vulnerabilities
Discover the best ways to mitigate wireless router security issues
Dig Deeper on Wireless network security
Related Q&A from Judith Myerson
Multiple Border Gateway Protocol vulnerabilities were found impacting security in the Quagga routing software. Expert Judith Myerson explains how ... Continue Reading
A previously disclosed flaw found in Broadcom's Wi-Fi controller chips is now believed to affect the Lenovo ThinkPad. Learn how this vulnerability ... Continue Reading
ICS-CERT issued a warning about a new vulnerability in Nortek Linear eMerge E3 products. Discover what this vulnerability is and how it affects ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.