B10: Looking into routeur Netgear DG834Gv2 - part 4
Firmware version v2.10.22 and v3.01.29
Information retrieval
As explained at the end of the previous post we will see if the updates proposed by Netgear fix the vulnerabilities.
So we take our downloaded archive “v3.01.29.zip” and decompress it using unzip
.
$ unzip v3.01.29.zip
Archive: v3.01.29.zip
extracting: dg834_dg834g_3_01_29.zip
inflating: ReleaseNotes_DG834v1_fw_3.01.29.html
Then we decompress the file “dg834_dg834g_3_01_29.zip” using unzip
.
$ unzip dg834_dg834g_3_01_29.zip
Archive: dg834_dg834g_3_01_29.zip
inflating: DG834_V3.01.29.img
Then we use binwalk
to identify what the “DG834_V3.01.29.img” file contains.
$ binwalk DG834_V3.01.29.img
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
56532 0xDCD4 Copyright string: "Copyright 1996-2003 Texas Instruments Inc. All Rights Reserved."
56604 0xDD1C Copyright string: "Copyright 2003 Telogy Networks, Inc."
138492 0x21CFC Copyright string: "Copyright (C) 2003 Texas Instruments Incorporated; Copyright (C) 1999-2003 Igor Pavlov."
138543 0x21D2F Copyright string: "Copyright (C) 1999-2003 Igor Pavlov."
851968 0xD0000 Squashfs filesystem, little endian, version 2.0, size: 3137953 bytes, 1394 inodes, blocksize: 32768 bytes, created: 2006-02-23 09:59:13
4063154 0x3DFFB2 Sercomm firmware signature, version control: 0, download control: 0, hardware ID: "DG834", hardware version: 0x4100, firmware version: 0x1D, starting code segment: 0x0, code size: 0x7300
Using the tool dd
we extract the Squashfs filesystem from the firmware.
$ dd skip=851968 count=3211186 if=DG834_V3.01.29.img of=output.squashfs bs=1
3211186+0 records in
3211186+0 records out
3211186 bytes transferred in 4.724893 secs (679631 bytes/sec)
Where count=3211186
correspond to:
>>> 0x3DFFB2 - 0xD0000
3211186
We can confirm with the help of file
that our file output.squashfs corresponds to what we expect.
$ file output.squashfs
output.squashfs: Squashfs filesystem, little endian, version 2.0, 3137953 bytes, 1394 inodes, blocksize: 32768 bytes, created: Thu Feb 23 09:59:13 2006
But we have the same problem as Eloi Benoist-Vanderbeken (related to LZMA) when we want to get the file system.
$ unsquashfs output.squashfs
gzip uncompress failed with error code -3
read_block: failed to read block @0x2fdeb2
read_fragment_table: failed to read fragment table block
FATAL ERROR: File system corruption detected
So we have to recompile unsquashfs
following Eloi’s procedure (which is not
the result of my work but his). On a Mac M1 (Apple Silicon) this gives us:
- Let’s get the sources of
squashfs
version 4.5 patched for Mac usingbrew
:
- Let’s modify the Makefile:
- Edit the file compressor.c:
- Edit the file lzma_wrapper.c:
Once the binary is recompiled using the command make
, let’s get the contents
of the Squashfs.
$ ./squashfs-4.5/squashfs-tools/unsquashfs output.squashfs
Parallel unsquashfs: Using 8 processors
1356 inodes (1536 blocks) to write
...
[================================================================================================================================================================================| ] 1504/1536 97%
created 1217 files
created 38 directories
created 107 symlinks
created 0 devices
created 0 fifos
created 0 sockets
Binaries present in busybox
:
- ash, busybox, cat, chmod, cp, dd, dmesg, echo, egrep, false, free, grep, ifconfig, init, insmod, kill, killall, ln, ls, lsmod, mkdir, modprobe, more, mount, mv, ping, ps, reboot, rm, rmmod, route, sh, sleep, test, touch, true, umount, wget
We notice that the wget
binary is now present in busybox
which will simplify
the exploitation for firmware versions v2.10.22 and v3.01.29.
The vulnerability 1 and 2 have not been corrected, but a fix has been applied to the vulnerability 3, unfortunately its bypass is trivial.
- Function
FUN_004079c8
firmware version v2.10.22. - Function
FUN_00407d60
firmware version v3.01.29. - Function
set_pppd_cmd
firmware version v5.03.16.
Which correspond to going from:
To:
After a little digging I discovered that it was possible to find the toolschains of almost each version at the following URL:
Recap
DG834Gv1 (RAM: 16MB)
Firmwares:
- 1.01.01, 1.03.00, 1.04.01, 1.05.00, 2.10.09, 2.10.17, 2.10.22, 3.01.25, 3.01.26, 3.01.29, 3.01.31, 3.01.32, 3.01.38
Version | … | v1.05.00 | … | v3.01.29 |
---|---|---|---|---|
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: FUN_00405aa4 , myPipe ) |
… | Exploitable (/usr/sbin/setup.cgi: FUN_0040774c , myPipe ) |
Command injection in the test ADSL functionality (parameter: command ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: FUN_00405d44 , COMMAND /usr/sbin/cmd_agent_ap: main ) |
… | Exploitable (/usr/sbin/setup.cgi: FUN_004079ec , COMMAND /usr/sbin/cmd_agent_ap: main ) |
Command injection in the DSLencapsulation functionality (parameter: pppoeName ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407ce8 ) |
… | Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407d60 ) |
DG834Gv2 (RAM: 16MB, UART: JP603)
Firmwares:
- 1.01.01, 1.03.00, 1.04.01, 1.05.00, 2.10.09, 2.10.17, 2.10.22, 3.01.25, 3.01.26, 3.01.29, 3.01.31, 3.01.32, 3.01.38
Version | v1.05.00 | … | v3.01.29 |
---|---|---|---|
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr ) (post-auth) |
Exploitable (/usr/sbin/setup.cgi: FUN_00405aa4 , myPipe ) |
… | Exploitable (/usr/sbin/setup.cgi: FUN_0040774c , myPipe ) |
Command injection in the test ADSL functionality (parameter: command ) (post-auth) |
Exploitable (/usr/sbin/setup.cgi: FUN_00405d44 , COMMAND /usr/sbin/cmd_agent_ap: main ) |
… | Exploitable (/usr/sbin/setup.cgi: FUN_004079ec , COMMAND /usr/sbin/cmd_agent_ap: main ) |
Command injection in the DSLencapsulation functionality (parameter: pppoeName ) (post-auth) |
Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407ce8 ) |
… | Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407d60 ) |
DG834Gv3 (RAM: 16MB)
Firmwares:
- 4.01.04, 4.01.06, 4.01.19, 4.01.20, 4.01.27, 4.01.28, 4.01.28, 4.01.30, 4.01.37, 4.01.40, 4.01.41, 4.01.42, 4.03.04
Version | … | v4.03.04 |
---|---|---|
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: FUN_0040774c , myPipe ) |
Command injection in the test ADSL functionality (parameter: command ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: FUN_004079ec , COMMAND /usr/sbin/cmd_agent_ap: main ) |
Command injection in the DSLencapsulation functionality (parameter: pppoeName ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: FUN_00407d80 ) |
DG834Gv4 (RAM: 2*8MB)
Firmwares:
- 5.01.01, 5.01.09, 5.01.14, 5.01.16, 5.01.17, 5.03.08, 5.03.14, 5.03.16
Version | … | v5.03.16 |
---|---|---|
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: ping_test , myPipe ) |
Command injection in the test ADSL functionality (parameter: command ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: adsl_test , COMMAND /usr/sbin/cmd_agent_ap: main ) |
Command injection in the DSLencapsulation functionality (parameter: pppoeName ) (post-auth) |
… | Exploitable (/usr/sbin/setup.cgi: set_pppoeName /usr/sbin/rc: set_pppd_cmd ) |
DG834Gv5 (RAM: 32MB)
Firmwares:
- 1.6.00.33, 1.6.01.34, 6.00.17, 6.00.21, 6.00.25
Version | v1.6.01.34 |
---|---|
Command injection in the diagnostic functionality ping (parameter: c4_IPAddr ) (post-auth) |
Exploitable |
Command injection in the test ADSL functionality (parameter: command ) (post-auth) |
Exploitable |
Command injection in the DSLencapsulation functionality (parameter: pppoeName ) (post-auth) |
Exploitable |
Vendors default credentials
- admin / password
- admin / admin
- admin / changeme
- admin / sky
- admin / setup
- admin / 1234
- comcast / 1234
- virgin / password
- superuser / password
Going further
There is a way to exploit all the vulnerabilities found without authenticiation but I will let you search by yourself.