Rapid7 Vulnerability & Exploit Database

Netgear R6700v3 Unauthenticated LAN Admin Password Reset

Back to Search

Netgear R6700v3 Unauthenticated LAN Admin Password Reset

Disclosed
06/15/2020
Created
07/02/2020

Description

This module targets ZDI-20-704 (aka CVE-2020-10924), a buffer overflow vulnerability in the UPNP daemon (/usr/sbin/upnpd), on Netgear R6700v3 routers running firmware versions from V1.0.2.62 up to but not including V1.0.4.94, to reset the password for the 'admin' user back to its factory default of 'password'. Authentication is bypassed by using ZDI-20-703 (aka CVE-2020-10923), an authentication bypass that occurs when network adjacent computers send SOAPAction UPnP messages to a vulnerable Netgear R6700v3 router. Currently this module only supports exploiting Netgear R6700v3 routers running either the V1.0.0.4.82_10.0.57 or V1.0.0.4.84_10.0.58 firmware, however support for other firmware versions may be added in the future. Once the password has been reset, attackers can use the exploit/linux/telnet/netgear_telnetenable module to send a special packet to port 23/udp of the router to enable a telnet server on port 23/tcp. The attacker can then log into this telnet server using the new password, and obtain a shell as the "root" user. These last two steps have to be done manually, as the authors did not reverse the communication with the web interface. It should be noted that successful exploitation will result in the upnpd binary crashing on the target router. As the upnpd binary will not restart until the router is rebooted, this means that attackers can only exploit this vulnerability once per reboot of the router. This vulnerability was discovered and exploited at Pwn2Own Tokyo 2019 by the Flashback team (Pedro Ribeiro + Radek Domanski).

Author(s)

  • Pedro Ribeiro <pedrib@gmail.com>
  • Radek Domanski <radek.domanski@gmail.com>
  • gwillcox-r7

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use auxiliary/admin/http/netgear_r6700_pass_reset
msf auxiliary(netgear_r6700_pass_reset) > show actions
    ...actions...
msf auxiliary(netgear_r6700_pass_reset) > set ACTION < action-name >
msf auxiliary(netgear_r6700_pass_reset) > show options
    ...show and set options...
msf auxiliary(netgear_r6700_pass_reset) > run 

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;