In the devices of Netgear revealed vulnerability that allows you to achieve your ROOT code through manipulations in the external network without passing through authentication. On the side of the WAN interface. The presence of vulnerability is confirmed in wireless routers R6900P, R7000P, R7960P and R8000P, as well as in network devices for deploying MESH networks MR60 and MS60. Netgear is already released the firmware update with the elimination of vulnerability.
Vulnerability is caused by the overflow of stack in the background process AWS_JSON (/TMP/Media/Nand/Router-ANALYTICS/AWS_JSON) when analyzing the data in the JSON format obtained after sending a request to an external Web Service (//devicelocation.ngxcild. COM/Device-Location/Resolve) used to determine the location of the device. To make an attack, place a specially designed file in the JSON format on your web server and achieve downloading this file by the router, for example, through the DNS replacement or redirect the transit node (you must intercept the request to the Devicelocation.ngxcld.com host. ). The request is sent through the HTTPS protocol, but without checking the correctness of the certificate (when loading, the Curl utility with the -k option is used).
from the practical side, vulnerability can be used to compromise the device, for example, embedding backdor for subsequent control over the internal network of the enterprise. For an attack, you need to get short-term access to the Netgear router or to the network cable/equipment on the WAN interface (for example, an attack can be made by a provider or an attacker who has access to a communication shield). As a demonstration by researchers on the basis of the RASPBERRY PI board, a prototype of the attack is prepared for an attack that allows you to get a Root Shell when connecting a WAN interface of a vulnerable router to an Ethernet port of the board.