Cool vulns don't live long - Netgear and Pwn2Own

Two vulns in Netgear RAX30 routers that were patched 2 days before the Pwn2Own draw. One was a LAN bug, the other a WAN issue.

Command Injection in puhttpsniff (LAN) When investigating the router, they found a service called puhhttpsniff that ran by default. When reversing it, they found it would take a user-agent string and use it to build a pudil command that gets passed to system(). It was not sanitized at all against command injection, and so you could simply set the user-agent string to a payload that broke out of the quotes and executed system commands. You’re limited to 255 bytes, but this is more than enough to get a reverse shell.

Firewall Misconfiguration (WAN) They discovered services on the router (such as ssh, telnet, etc.) were listening on both IPV4 and IPV6 addresses. While on IPV4 all ports are closed to WAN, on IPV6, things like telnet are open. There are some ip6table rules in place to restrict access, but they’re only applied on br0 (LAN) and WAN if a public IPV6 is provided. If a link-local address is used on WAN to connect to telnet for example, rules won’t be applied to it, and so anyone on the same network segment as the router can query the link-local address and connect to various services. They used this to exfiltrate /etc/passwd, and cracked the support account’s password. This got them a restricted shell in telnet, though escaping that was as trivial as using the hidden sh command.