Exploited: Netgear Nighthawk RAX30

By Chad Cox

Production Editor

Embedded Computing Design

September 18, 2023

Blog

Image Credit: Amanda Janes

By now, we all know that no matter the precautions, there will always be a way in, a way you haven’t thought of, a way to breach and control your connected … everything. To highlight these every changing vulnerabilities, whether minor or major, and promote overall secure IoT environments, the Zero Day Initiative (ZDI) organized a Pwn2Own competition in Toronto, to dive deeper into the machines we employ everyday and show how vulnerable we are when everything is connected. ZDI informed the participating teams that they will need to take their shared knowledge and apply it to printers, network-attached storage (NAS) devices, routers, and smart speakers.

Claroty’s Team 82 participated with the goal of compromising the Netgear Nighthawk RAX30 router. What they found was that when exploited, an attacker may possibly surveil your procedures, highjack connections, send you to malicious sites, or embed malware into your ecosystem.  With all the collected wisdom, it wasn’t long until the team discovered a vulnerability that was easy to find, but a challenge to exploit.

Image Credit: Claroty's Team 82

 

The vulnerability was found in the soap-served process running on port 5000, a protocol that manages SOAP messages in relation to the operation in the attached LAN. According to Team 82, “the vulnerability we found was a stack-based buffer overflow. This class of vulnerabilities is usually trivial to exploit when there are no stack protections.”

The routers utilize stack canaries that support and secure buffer overflow attacks. The canary is a small value that is placed on the stack to monitor for irregularities before a function returns. If an anamoly is found, the program should self-terminate to save any further network destruction.

Three Options to Bypass Stack Canaries:

  • Find another vulnerability that could leak the canary from memory
  • Brute-force the canary (this is possible only in specific cases)
  • “Logically” bypass the canary: do something with the overflow before the canary is checked

The team chose to logically bypass the canary. The dedicated server, “soap_serverd,", runs on ports 5000 (HTTP) and 5043 (HTTPS) and operates as a programmatic SOAP-based API for router functionality. If the API is infiltrated, the nefarious actor may be able to manipulate the system’s integrity.

The server’s main use is for NETGEAR Nighthawk App for iOS and Android. Team 82 exposed more than 180 vulnerabilities in the server, sorted in various categories including:

  • UserOptionsTC
  • AdvancedQOS
  • WANEthernetLinkConfig
  • WANIPConnection
  • DeviceInfo
  • LANConfigSecurity
  • WLANConfiguration
  • DeviceConfig
  • ParentalControl

NETGEAR Nighthawk RAX30 CVEs

The following CVEs are best when utilized jointly, and proper use will enable pre-authentication remote code execution.

  • CVE-2023-27357 NETGEAR RAX30 GetInfo Missing Authentication Information Disclosure Vulnerability
  • CVE-2023-27368: NETGEAR RAX30 soap_serverd Stack-based Buffer Overflow Authentication Bypass Vulnerability
  • CVE-2023-27369: NETGEAR RAX30 soap_serverd Stack-based Buffer Overflow Authentication Bypass Vulnerability
  • CVE-2023-27370: Using soap_serverd auth Bypass to Reset the Admin Password  
  • CVE-2023-27367: Authentication Bypass to RCE Using Magic telnet and Command Injection

 

Chad Cox. Production Editor, Embedded Computing Design, has responsibilities that include handling the news cycle, newsletters, social media, and advertising. Chad graduated from the University of Cincinnati with a B.A. in Cultural and Analytical Literature.

More from Chad