Friday, 8 June 2018

Netgear DG834 Router Series Password Bypass temporary patch

The DG834 series are vulnerable to password bypass and several shell command injection exploits. (I did report this to Netgear at least 10 years ago).

If vulnerable, the following url should display the router's nvram settings without asking for a password (if you've logged in recently and not logged out, you won't be asked for a password anyway):-

(Sky supplied DG834GT routers with the most recent sky firmware on them aren't vulnerable to the password bypass as they removed the ca directory when they redesigned their UI.)



It seems some people still use these old routers, and router exploit malware is apparently on the rise, so here is a temporary patch to at least address the password bypass vulnerability (tested on a DG834N using the Vivaldi and Internet Explorer browsers, but may work on other models in the range).

If it causes any issues, rebooting the router will get rid of it completely.

http://routerlogin.net/ca/setup.cgi?PATH=/bin:/sbin:/usr/bin:/usr/sbin;mkdir\x20/tmp/w2;cd\x20/tmp/w2;ln\x20-s\x20/www/??????*\x20.;ln\x20-s\x20/www/.*\x20.;killall\x20mini_httpd;mini_httpd\x20-d\x20/tmp/w2\x20-r\x20\x22MEL\x22\x20-c\x20\x27**.cgi\x27\x20-f\x20indexca.htm\x20-t\x20300\x26rm\x20$0&todo=ping_test&next_file=diagping.htm&c4_IPAddr=1%26(/bin/echo%3E/tmp/mel+${QUERY_STRING%25%25%26to*}%26%26/bin/sh+/tmp/mel)+%3E/dev/null+2%3E/dev/null


The router won't send any response, so wait a few seconds for the http server to restart, then log in to the router to make sure the UI is working, click on the logout link in the router's ui, then try the link at the top of the page to test if it is still vulnerable, it should respond with the pink 404  not found page.

There are still a number of shell exploit vulnerabilities in setup.cgi, so always logout after you use the router's web interface. Also if you are using the default password, change it.

The password issue exists because there is no .htpasswd file in the /www/ca directory, it should be a link to /etc/htpasswd. I think the ca directory is used by the easy setup software supplied with the router.

Building new firmware with .httpasswd in /www.eng/ca/, /www.fre/ca/ etc should at least fix the password vulnerability.

The URL above works by injecting and running the script I've embedded in the query string onto the router, which makes a copy of the current www directory (using links) in the router's /tmp directory,  omitting all sub directories including "ca" and restarts its http server using the replacement directory.

 It would also be possible to modify this hack to survive a reboot.

The second link won't work with some browsers, such as MS Edge, and it is possible that some affected models may not include busybox's support of the variable manipulation used in the fix.

Use at your own risk and all that.