lolloj - Fotolia

How does a Netgear vulnerability enable command injection attacks?

A Netgear vulnerability exposed a number of wireless router models to command injection attacks. Expert Judith Myerson explains how the attack works and how to stop it.

A major vulnerability in several Netgear routers allowed remote attackers to commit command injection attacks on these devices. The attacks involved tricking victims using Netgear routers into visiting a malicious link -- but how can a bad link infect the actual router? How does this command injection attack work?

A security researcher took advantage of a major vulnerability in several high-end Netgear routers to show how command injection attacks were possible on the R8000, R7000 and R6400 models, as well as others.

The vulnerability involved how these routers implemented web servers, and it allowed users to inject commands into the devices without any authentication or authorization. Victims could be lured into clicking a malicious link on highly privileged commands. The link infected their routers in varying degrees; the malicious link first infected a client device, and then spread to the router to which the device was connected. The worst possible scenario enabled shred command injections into the HTML source of a webpage.

Upon execution, this command deletes all of the files in the server. With no files to work with, the router stops functioning. Another injection favorite of attackers is the "killall" command, which is used to terminate all processes. Victims will likely discover too late that their router is no longer able to receive incoming commands from the web server or to send outgoing commands to the server.

The Netgear vulnerability was patched soon after the exploit was made public, and Netgear released beta firmware updates for the affected routers. US-CERT also issued a temporary fix to allow users to continue the use of their routers in case the firmware didn't update properly.

An ethical hacker could exploit the vulnerability by issuing a "safe" command that halts all incoming commands from the router's web server. For example, you could inject in the web address "http://[router-address/cgi-bin/;killall$IFS'httpd'." The router address is the local IP address assigned to your router. The killall command terminates only the processes associated with the HTTP daemon that runs in the background of a web server and waits for the incoming server requests. You would need to reboot the router for the fix to take effect. This would enable you to send outgoing server requests.

You can also create a link to "ethical" command injections in the HTML source of a webpage to save time typing in the web address.

Next Steps

Read more on securing remote admin service for wireless routers

Find out how to address the Equation Group vulnerabilities

Discover the best ways to mitigate wireless router security issues

Dig Deeper on Network security