Super Hub Routers Get Patch against Exploit Chain

The firmware for routers from one of the largest Internet Service Providers (ISPs) in the UK has been updated automatically for all online terminals to address a set of security oversights that, when combined, could lead to complete compromise of the device. Some of the issues have long been highlighted by the infosec community as common insecure practices.

Super Hub 2 and Super Hub 2 AC are routers manufactured by Netgear and deployed by UK ISP Virgin Media to its subscribers. In October 2016, researchers from penetration-testing firm Context Information Security tested the security of the devices. They started with extracting the firmware image and, after several unsuccessful attack methods, shifted towards the backup/restore mechanism, which lets users save a custom configuration of the router and reinstate it automatically, reducing manual input.

Their first discovery was that the backup files were saved in a compressed and encrypted state, using the Triple DES algorithm. However, they found the decryption key was hard-coded in the binary responsible for unpacking and restoring the configuration. This was the starting point for figuring out a way to obtain administrative rights (root shell) on the system and gaining complete control.

Careful examination of the components available and the way they interacted allowed the pentesters to create a malicious configuration backup file that contained the instruction to allow router access via command line (telnet connection). After the backup was checked and applied, the router ran a command that allowed data to be written or overwritten on the device with the highest privileges, in a persistent manner. They also found a powerful left-over script that looked for the existence of a file and executed its contents as part of an alternative system startup routine; if the file was not detected, the default routine would run a few startup commands.

By combining this knowledge, the researchers figured out how to create a backup configuration file that included a script, and was accepted by the router. “Once submitted to the router it will be decrypted, validated and then untar’d to the root of the file system. Consequently our script will get execution when the Super Hub reboots,” they wrote in a blog post.

This approach allowed enabling a telnet connection on the device, but only for a short time, because of additional checks with persistent parameters regarding telnet access. Reverse-engineering and the introduction of a new command in the malicious script overcame this hurdle, too.

Although difficult to discover by a regular attacker, the exploit chain described by the Context Information Security experts shows that hardening known vulnerable areas is not sufficient if code is not properly cleaned of old commands and scripts that are run with elevated privileges and impact on sensitive locations, and hard-coded credentials are not eliminated. Users should also set a higher security standard and enable strong, unique passwords to complement the vendor’s efforts.