The first step to PWN2OWN - A sad one

INTRODUCTION

When I was taking a look at the UPnP binary of NETGEAR RAX30 for PWN2OWN Toronto 2022, I found a command injection vulnerability on the LAN side. This is the first vulnerability that I have ever found, but it is a die young one. The patch came right before the contest begin.

VULNERABILITY SUMMARY

NETGEAR RAX30 will run a UPnP service on port 56688 when the WAN port is connected. The vulnerability happens when parsing the SOAPACTION parameter from HTTP POST request. Attacker can pass a malicious SOAPACTION parameter that lead to trigger a command injection.

VULNERABILITY DETAILS

A M-SEARCH will be sent to SSDP first, and we will be returned with the information of services like location, uuid, etc:

We use the information that we recieved after sending M-Search packet to craft the exploit request. After that we send the exploit packet to UPnP service on port 56688:

The packet will be handled by dispatch_http_request() function in UPnP. The POST parsing part will check for SOAPACTION parameter and extract the content.

The soap_action_parse() function will extract the actionName from extracted SOAPACTION parameter by looking for '#' character in soap_action_content variable.

Finally, actionName will be used to construct a logger command and call system which will trigger the command injection payload. The final command will be injected into logger command:

Let's write a script and exploit the vulnerability.

The patch

The the old system function has been changed to log_log function