Security researcher Dylan has disclosed a set of eight previously unknown zero-day vulnerabilities affecting the Netgear WNR854T, a legacy router first released in 2017 and long since unsupported.
The report details a range of vulnerabilities, including buffer overflows and command injection flaws, which could allow attackers to gain control of affected devices.
CVE-2024-54802: M-SEARCH Host BOFThis vulnerability is a stack-based buffer overflow in the UPnP service, specifically affecting the M-SEARCH Host header. The issue stems from the strcpy functionβs unbounded nature, which can allow an attacker to corrupt memory and control execution flow, leading to remote code execution.
CVE-2024-54803: PPPOE_PEER_MAC Authenticated Command Injection (Boot Persistent)This is an authenticated command injection vulnerability affecting the routerβs PPPOE configuration. Successful exploitation allows authenticated attackers to execute arbitrary system commands with root privileges.
The researcher emphasizes the severity, stating, βThe injected commands persist across device reboots as they are stored in NVRAM, making this a particularly severe vulnerability that provides attackers with permanent access until manually remediated.β
CVE-2024-54804: WAN_HOSTNAME Authenticated Command Injection (Boot Persistent)Similar to the previous vulnerability, this is an authenticated command injection vulnerability, but it affects the routerβs WAN hostname configuration. Exploitation grants authenticated attackers the ability to execute arbitrary system commands with root privileges, with the injected commands persisting across reboots.
The report highlights the potential impact: βThis can lead to complete compromise of the router, enabling a whole host of malicious activities.β
CVE-2024-54805: Sendmail Authenticated Command InjectionThis vulnerability is an authenticated command injection flaw within the routerβs email notification functionality. Attackers with valid credentials can execute arbitrary system commands with root privileges by manipulating the email address field.
The report notes the flexibility of this exploit: βThis vulnerability provides a more flexible on-demand execution mechanism that can be repeatedly triggered without waiting for reboots.β
CVE-2024-54806: Authenticated WebshellThe report indicates the existence of a webshell at cmd.cgi (0x15c50). Access to this webshell requires authentication.
CVE-2024-54807: AddPortMapping Command InjectionThis is an unauthenticated command execution vulnerability in the upnp binary. It exists due to the concatenation of arguments passed to a system call in the upnp binary.
The report emphasizes the severity: βThis is potentially the most critical vulnerability reported due to its wide attack surface, lack of authentication, and low exploit complexity.β
CVE-2024-54808: SetDefaultConnectionService BOFThis is a stack-based buffer overflow vulnerability in the SetDefaultConnectionService function. Successful exploitation can lead to hijacking program execution.
The report mentions challenges in exploiting this vulnerability: βIssues with weaponization of this bug were encountered due to environmental constraints.β
CVE-2024-54809: M-SEARCH ST BOFThis is another stack-based buffer overflow in the UPnP service, this time affecting the M-SEARCH ST header. The vulnerability is caused by improper bounds checking when copying the ST header value.
The report explains the cause: βThe vulnerability is caused by improper bounds checking when copying the ST header value into a fixed-size stack variable.β