Firmware version v2.10.22 and v3.01.29

Information retrieval

As explained at the end of the previous post we will see if the updates proposed by Netgear fix the vulnerabilities.

So we take our downloaded archive “v3.01.29.zip” and decompress it using unzip.

$ unzip v3.01.29.zip
Archive:  v3.01.29.zip
 extracting: dg834_dg834g_3_01_29.zip
  inflating: ReleaseNotes_DG834v1_fw_3.01.29.html

Then we decompress the file “dg834_dg834g_3_01_29.zip” using unzip.

$ unzip dg834_dg834g_3_01_29.zip
Archive:  dg834_dg834g_3_01_29.zip
  inflating: DG834_V3.01.29.img

Then we use binwalk to identify what the “DG834_V3.01.29.img” file contains.

$ binwalk DG834_V3.01.29.img

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
56532         0xDCD4          Copyright string: "Copyright 1996-2003 Texas Instruments Inc. All Rights Reserved."
56604         0xDD1C          Copyright string: "Copyright 2003 Telogy Networks, Inc."
138492        0x21CFC         Copyright string: "Copyright (C) 2003 Texas Instruments Incorporated; Copyright (C) 1999-2003 Igor Pavlov."
138543        0x21D2F         Copyright string: "Copyright (C) 1999-2003 Igor Pavlov."
851968        0xD0000         Squashfs filesystem, little endian, version 2.0, size: 3137953 bytes, 1394 inodes, blocksize: 32768 bytes, created: 2006-02-23 09:59:13
4063154       0x3DFFB2        Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "DG834", hardware version: 0x4100, firmware version: 0x1D, starting code segment: 0x0, code size: 0x7300

Using the tool dd we extract the Squashfs filesystem from the firmware.

$ dd skip=851968 count=3211186 if=DG834_V3.01.29.img of=output.squashfs bs=1
3211186+0 records in
3211186+0 records out
3211186 bytes transferred in 4.724893 secs (679631 bytes/sec)

Where count=3211186 correspond to:

>>> 0x3DFFB2 - 0xD0000
3211186

We can confirm with the help of file that our file output.squashfs corresponds to what we expect.

$ file output.squashfs
output.squashfs: Squashfs filesystem, little endian, version 2.0, 3137953 bytes, 1394 inodes, blocksize: 32768 bytes, created: Thu Feb 23 09:59:13 2006

But we have the same problem as Eloi Benoist-Vanderbeken (related to LZMA) when we want to get the file system.

$ unsquashfs output.squashfs
gzip uncompress failed with error code -3
read_block: failed to read block @0x2fdeb2
read_fragment_table: failed to read fragment table block
FATAL ERROR: File system corruption detected

So we have to recompile unsquashfs following Eloi’s procedure (which is not the result of my work but his). On a Mac M1 (Apple Silicon) this gives us:

  • Let’s get the sources of squashfs version 4.5 patched for Mac using brew:

alt text

  • Let’s modify the Makefile:

alt text

  • Edit the file compressor.c:

alt text

  • Edit the file lzma_wrapper.c:

alt text

Once the binary is recompiled using the command make, let’s get the contents of the Squashfs.

$ ./squashfs-4.5/squashfs-tools/unsquashfs output.squashfs 
Parallel unsquashfs: Using 8 processors
1356 inodes (1536 blocks) to write

...

[================================================================================================================================================================================|    ] 1504/1536  97%

created 1217 files
created 38 directories
created 107 symlinks
created 0 devices
created 0 fifos
created 0 sockets

Binaries present in busybox:

  • ash, busybox, cat, chmod, cp, dd, dmesg, echo, egrep, false, free, grep, ifconfig, init, insmod, kill, killall, ln, ls, lsmod, mkdir, modprobe, more, mount, mv, ping, ps, reboot, rm, rmmod, route, sh, sleep, test, touch, true, umount, wget

We notice that the wget binary is now present in busybox which will simplify the exploitation for firmware versions v2.10.22 and v3.01.29.

The vulnerability 1 and 2 have not been corrected, but a fix has been applied to the vulnerability 3, unfortunately its bypass is trivial.

  • Function FUN_004079c8 firmware version v2.10.22.
  • Function FUN_00407d60 firmware version v3.01.29.
  • Function set_pppd_cmd firmware version v5.03.16.

Which correspond to going from:

alt text

To:

alt text

After a little digging I discovered that it was possible to find the toolschains of almost each version at the following URL:

Recap

DG834Gv1 (RAM: 16MB)

Firmwares:

  • 1.01.01, 1.03.00, 1.04.01, 1.05.00, 2.10.09, 2.10.17, 2.10.22, 3.01.25, 3.01.26, 3.01.29, 3.01.31, 3.01.32, 3.01.38
Version v1.05.00 v3.01.29
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr) (post-auth) Exploitable (/usr/sbin/setup.cgi: FUN_00405aa4, myPipe) Exploitable (/usr/sbin/setup.cgi: FUN_0040774c, myPipe)
Command injection in the test ADSL functionality (parameter: command) (post-auth) Exploitable (/usr/sbin/setup.cgi: FUN_00405d44, COMMAND /usr/sbin/cmd_agent_ap: main) Exploitable (/usr/sbin/setup.cgi: FUN_004079ec, COMMAND /usr/sbin/cmd_agent_ap: main)
Command injection in the DSLencapsulation functionality (parameter: pppoeName) (post-auth) Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407ce8) Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407d60)

DG834Gv2 (RAM: 16MB, UART: JP603)

Firmwares:

  • 1.01.01, 1.03.00, 1.04.01, 1.05.00, 2.10.09, 2.10.17, 2.10.22, 3.01.25, 3.01.26, 3.01.29, 3.01.31, 3.01.32, 3.01.38
Version v1.05.00 v3.01.29
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr) (post-auth) Exploitable (/usr/sbin/setup.cgi: FUN_00405aa4, myPipe) Exploitable (/usr/sbin/setup.cgi: FUN_0040774c, myPipe)
Command injection in the test ADSL functionality (parameter: command) (post-auth) Exploitable (/usr/sbin/setup.cgi: FUN_00405d44, COMMAND /usr/sbin/cmd_agent_ap: main) Exploitable (/usr/sbin/setup.cgi: FUN_004079ec, COMMAND /usr/sbin/cmd_agent_ap: main)
Command injection in the DSLencapsulation functionality (parameter: pppoeName) (post-auth) Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407ce8) Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407d60)

DG834Gv3 (RAM: 16MB)

Firmwares:

  • 4.01.04, 4.01.06, 4.01.19, 4.01.20, 4.01.27, 4.01.28, 4.01.28, 4.01.30, 4.01.37, 4.01.40, 4.01.41, 4.01.42, 4.03.04
Version v4.03.04
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr) (post-auth) Exploitable (/usr/sbin/setup.cgi: FUN_0040774c, myPipe)
Command injection in the test ADSL functionality (parameter: command) (post-auth) Exploitable (/usr/sbin/setup.cgi: FUN_004079ec, COMMAND /usr/sbin/cmd_agent_ap: main)
Command injection in the DSLencapsulation functionality (parameter: pppoeName) (post-auth) Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407d80)

DG834Gv4 (RAM: 2*8MB)

Firmwares:

  • 5.01.01, 5.01.09, 5.01.14, 5.01.16, 5.01.17, 5.03.08, 5.03.14, 5.03.16
Version v5.03.16
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr) (post-auth) Exploitable (/usr/sbin/setup.cgi: ping_test, myPipe)
Command injection in the test ADSL functionality (parameter: command) (post-auth) Exploitable (/usr/sbin/setup.cgi: adsl_test, COMMAND /usr/sbin/cmd_agent_ap: main)
Command injection in the DSLencapsulation functionality (parameter: pppoeName) (post-auth) Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: set_pppd_cmd)

DG834Gv5 (RAM: 32MB)

Firmwares:

  • 1.6.00.33, 1.6.01.34, 6.00.17, 6.00.21, 6.00.25
Version v1.6.01.34
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr) (post-auth) Exploitable
Command injection in the test ADSL functionality (parameter: command) (post-auth) Exploitable
Command injection in the DSLencapsulation functionality (parameter: pppoeName) (post-auth) Exploitable

Vendors default credentials

  • admin / password
  • admin / admin
  • admin / changeme
  • admin / sky
  • admin / setup
  • admin / 1234
  • comcast / 1234
  • virgin / password
  • superuser / password

Going further

There is a way to exploit all the vulnerabilities found without authenticiation but I will let you search by yourself.