Vulnerability in KCodes NetUSB in D-Link, NETGEAR, TP-LINK, Trendnet, ZyXEL and other routers
As you may know, some router manufacturers include in their products the ability to use USB devices connected to the router via TCP / IP using the KCodes NetUSB software and their own protocol. The technology allows you to connect any type of device: printers, flash drives, webcams, keyboards, sound cards, because just encapsulates USB to IP.
Specialists from SEC Consult discovered a blatant vulnerability on all routers supporting this technology - a buffer overflow on the stack in kernel mode, which can lead to remote code execution.
The kernel module NetUSB.ko, which listens on port 20005, even if no USB device is connected to the router, uses AES encryption with a static key (which, of course, also exists in the PC client) for authentication, which allows an attacker to remotely use the connected USB device. However, the main vulnerability lies in the fixed size of the buffer for the computer name in the run_init_sbus () function, receiving no more than 64 characters. This buffer overflow causes a kernel stack to overflow.
:
Vulnerability is present in many popular and modern routers. Manufacturers use different marketing names for NetUSB functionality: NetGear calls it ReadySHARE, while others simply call it “printer sharing” or “USB sharing”.
The vulnerability is confirmed on the following routers, with the latest firmware version:
Although NetUSB on these routers only works on LAN ports, the researchers found a number of open ports in 20005 on the Internet. It is unclear whether this happened due to incorrect default settings, or whether users themselves have opened access from the outside.
At the moment, only TP-LINK has released vulnerability fixes for some models, another 40 models will receive an update a little later. Some manufacturers allow you to disable NetUSB, but at least in NetGear there is no such functionality: you cannot either simply disable or close the port through the firewall.
In KCodes, they vaguely responded to the message about the vulnerability, so the researchers wrote about it directly to the manufacturers and CERT. Also, the guys have developed a PoC, which (yet) have not been published.
')
Vulnerability Information
Information on the CERT website
SEC Consult blog vulnerability note
Specialists from SEC Consult discovered a blatant vulnerability on all routers supporting this technology - a buffer overflow on the stack in kernel mode, which can lead to remote code execution.
The kernel module NetUSB.ko, which listens on port 20005, even if no USB device is connected to the router, uses AES encryption with a static key (which, of course, also exists in the PC client) for authentication, which allows an attacker to remotely use the connected USB device. However, the main vulnerability lies in the fixed size of the buffer for the computer name in the run_init_sbus () function, receiving no more than 64 characters. This buffer overflow causes a kernel stack to overflow.
:
int computername_len; char computername_buf[64]; // connection initiation, handshake len = ks_recv(sock, &computername_len, 4, 0); // ... len = ks_recv(sock, computername_buf, computername_len, 0); // boom! Vulnerability is present in many popular and modern routers. Manufacturers use different marketing names for NetUSB functionality: NetGear calls it ReadySHARE, while others simply call it “printer sharing” or “USB sharing”.
The vulnerability is confirmed on the following routers, with the latest firmware version:
- TP-Link TL-WDR4300 V1
- TP-Link WR1043ND v2
- NETGEAR WNDR4500
Although NetUSB on these routers only works on LAN ports, the researchers found a number of open ports in 20005 on the Internet. It is unclear whether this happened due to incorrect default settings, or whether users themselves have opened access from the outside.
Incomplete list of potentially vulnerable routers with NetUSB in their firmware code
D-Link DIR-615 C
NETGEAR AC1450
NETGEAR CENTRIA (WNDR4700 / 4720)
NETGEAR D6100
NETGEAR D6200
NETGEAR D6300
NETGEAR D6400
NETGEAR DC112A
NETGEAR DC112A (Zain)
NETGEAR DGND4000
NETGEAR EX6200
NETGEAR EX7000
NETGEAR JNR3000
NETGEAR JNR3210
NETGEAR JR6150
NETGEAR LG6100D
NETGEAR PR2000
NETGEAR R6050
NETGEAR R6100
NETGEAR R6200
NETGEAR R6200v2
NETGEAR R6220
NETGEAR R6250
NETGEAR R6300v1
NETGEAR R6300v2
NETGEAR R6700
NETGEAR R7000
NETGEAR R7500
NETGEAR R7900
NETGEAR R8000
NETGEAR WN3500RP
NETGEAR WNDR3700v5
NETGEAR WNDR4300
NETGEAR WNDR4300v2
NETGEAR WNDR4500
NETGEAR WNDR4500v2
NETGEAR WNDR4500v3
NETGEAR XAU2511
NETGEAR XAUB2511
TP-LINK Archer C2 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer C20 V1.0 (Not affected)
TP-LINK Archer C20i V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer C5 V1.2 (Fix planned before 2015/05/22)
TP-LINK Archer C5 V2.0 (Fix planned before 2015/05/30)
TP-LINK Archer C7 V1.0 (Fix planned before 2015/05/30)
TP-LINK Archer C7 V2.0 (Fix already released)
TP-LINK Archer C8 V1.0 (Fix planned before 2015/05/30)
TP-LINK Archer C9 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer D2 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer D5 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer D7 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer D7B V1.0 (Fix planned before 2015/05/31)
TP-LINK Archer D9 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer VR200v V1.0 (Fix already released)
TP-LINK TD-VG3511 V1.0 (End-Of-Life)
TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/31)
TP-LINK TD-W1042ND V1.0 (End-Of-Life)
TP-LINK TD-W1043ND V1.0 (End-Of-Life)
TP-LINK TD-W8968 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8968 V2.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8968 V3.0 (Fix planned before 2015/05/25)
TP-LINK TD-W8970 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8970 V3.0 (Fix already released)
TP-LINK TD-W8970B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8980 V3.0 (Fix planned before 2015/05/25)
TP-LINK TD-W8980B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W9980 V1.0 (Fix already released)
TP-LINK TD-W9980B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-WDR4900 V1.0 (End-Of-Life)
TP-LINK TL-WR1043ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR1043ND V3.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR1045ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR3500 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR3600 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR4300 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR842ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR842ND V1.0 (End-Of-Life)
TP-LINK TX-VG1530 (GPON) V1.0 (Fix planned before 2015/05/31)
Trendnet TE100-MFP1 (v1.0R)
Trendnet TEW-632BRP (A1.0R)
Trendnet TEW-632BRP (A1.1R / A1.2R)
Trendnet TEW-632BRP (A1.1R / A1.2R / A1.3R)
Trendnet TEW-634GRU (v1.0R)
Trendnet TEW-652BRP (V1.0R)
Trendnet TEW-673GRU (v1.0R)
Trendnet TEW-811DRU (v1.0R)
Trendnet TEW-812DRU (v1.0R)
Trendnet TEW-812DRU (v2.xR)
Trendnet TEW-813DRU (v1.0R)
Trendnet TEW-818DRU (v1.0R)
Trendnet TEW-823DRU (v1.0R)
Trendnet TEW-MFP1 (v1.0R)
Zyxel NBG-419N v2
Zyxel NBG4615 v2
Zyxel NBG5615
Zyxel NBG5715
NETGEAR AC1450
NETGEAR CENTRIA (WNDR4700 / 4720)
NETGEAR D6100
NETGEAR D6200
NETGEAR D6300
NETGEAR D6400
NETGEAR DC112A
NETGEAR DC112A (Zain)
NETGEAR DGND4000
NETGEAR EX6200
NETGEAR EX7000
NETGEAR JNR3000
NETGEAR JNR3210
NETGEAR JR6150
NETGEAR LG6100D
NETGEAR PR2000
NETGEAR R6050
NETGEAR R6100
NETGEAR R6200
NETGEAR R6200v2
NETGEAR R6220
NETGEAR R6250
NETGEAR R6300v1
NETGEAR R6300v2
NETGEAR R6700
NETGEAR R7000
NETGEAR R7500
NETGEAR R7900
NETGEAR R8000
NETGEAR WN3500RP
NETGEAR WNDR3700v5
NETGEAR WNDR4300
NETGEAR WNDR4300v2
NETGEAR WNDR4500
NETGEAR WNDR4500v2
NETGEAR WNDR4500v3
NETGEAR XAU2511
NETGEAR XAUB2511
TP-LINK Archer C2 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer C20 V1.0 (Not affected)
TP-LINK Archer C20i V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer C5 V1.2 (Fix planned before 2015/05/22)
TP-LINK Archer C5 V2.0 (Fix planned before 2015/05/30)
TP-LINK Archer C7 V1.0 (Fix planned before 2015/05/30)
TP-LINK Archer C7 V2.0 (Fix already released)
TP-LINK Archer C8 V1.0 (Fix planned before 2015/05/30)
TP-LINK Archer C9 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer D2 V1.0 (Fix planned before 2015/05/22)
TP-LINK Archer D5 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer D7 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer D7B V1.0 (Fix planned before 2015/05/31)
TP-LINK Archer D9 V1.0 (Fix planned before 2015/05/25)
TP-LINK Archer VR200v V1.0 (Fix already released)
TP-LINK TD-VG3511 V1.0 (End-Of-Life)
TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-VG3631 V1.0 (Fix planned before 2015/05/31)
TP-LINK TD-W1042ND V1.0 (End-Of-Life)
TP-LINK TD-W1043ND V1.0 (End-Of-Life)
TP-LINK TD-W8968 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8968 V2.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8968 V3.0 (Fix planned before 2015/05/25)
TP-LINK TD-W8970 V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8970 V3.0 (Fix already released)
TP-LINK TD-W8970B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W8980 V3.0 (Fix planned before 2015/05/25)
TP-LINK TD-W8980B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-W9980 V1.0 (Fix already released)
TP-LINK TD-W9980B V1.0 (Fix planned before 2015/05/30)
TP-LINK TD-WDR4900 V1.0 (End-Of-Life)
TP-LINK TL-WR1043ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR1043ND V3.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR1045ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR3500 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR3600 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR4300 V1.0 (Fix planned before 2015/05/22)
TP-LINK TL-WR842ND V2.0 (Fix planned before 2015/05/30)
TP-LINK TL-WR842ND V1.0 (End-Of-Life)
TP-LINK TX-VG1530 (GPON) V1.0 (Fix planned before 2015/05/31)
Trendnet TE100-MFP1 (v1.0R)
Trendnet TEW-632BRP (A1.0R)
Trendnet TEW-632BRP (A1.1R / A1.2R)
Trendnet TEW-632BRP (A1.1R / A1.2R / A1.3R)
Trendnet TEW-634GRU (v1.0R)
Trendnet TEW-652BRP (V1.0R)
Trendnet TEW-673GRU (v1.0R)
Trendnet TEW-811DRU (v1.0R)
Trendnet TEW-812DRU (v1.0R)
Trendnet TEW-812DRU (v2.xR)
Trendnet TEW-813DRU (v1.0R)
Trendnet TEW-818DRU (v1.0R)
Trendnet TEW-823DRU (v1.0R)
Trendnet TEW-MFP1 (v1.0R)
Zyxel NBG-419N v2
Zyxel NBG4615 v2
Zyxel NBG5615
Zyxel NBG5715
At the moment, only TP-LINK has released vulnerability fixes for some models, another 40 models will receive an update a little later. Some manufacturers allow you to disable NetUSB, but at least in NetGear there is no such functionality: you cannot either simply disable or close the port through the firewall.
List of manufacturers using NetUSB in their products, according to information from driver codes
Allnet
Ambir Technology
AMIT
Asante
Atlantis
Corega
Digitus
D-Link
EDIMAX
Encore electronics
Engenius
Etop
Hardlink
Hawking
IOGEAR
Levelone
Longshine
Netgear
PCI
PROLiNK
Sitecom
Taifa
TP-LINK
TRENDnet
Western digital
ZyXEL
Ambir Technology
AMIT
Asante
Atlantis
Corega
Digitus
D-Link
EDIMAX
Encore electronics
Engenius
Etop
Hardlink
Hawking
IOGEAR
Levelone
Longshine
Netgear
PCI
PROLiNK
Sitecom
Taifa
TP-LINK
TRENDnet
Western digital
ZyXEL
In KCodes, they vaguely responded to the message about the vulnerability, so the researchers wrote about it directly to the manufacturers and CERT. Also, the guys have developed a PoC, which (yet) have not been published.
')
Vulnerability Information
Information on the CERT website
SEC Consult blog vulnerability note
Source: https://habr.com/ru/post/258335/
All Articles