# A Firmware Modification Vulnerability During Firmware Update in Netgear XAVN2001 Wireless-N Extender ## Affected Products: We have tested on **Netgear XAVN2001v2 Wireless-N Extenders (firmware version: 0.4.0.7 and earlier)**. Also, we suspect it may also work on other models with similar firmware versions. ## Overview: An exploitable firmware modification attack vulnerability was discovered on the Netgear XAVN2001v2 Wireless-N Extenders. The data integrity of the uploaded firmware image is ensured with a fixed checksum number. Therefore, an attacker can conduct a MITM attack to modify the user-uploaded firmware image and bypass the checksum verification. A successful attack can either introduce a backdoor or malware to the device or make the device DoS. ## Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. The web interface uses HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. Therefore, the firmware update process is vulnerable to man-in-the-middle (MITM) attacks. For the firwmare image, the first 128 bytes of the firmware image contain firmware metadata, including device model, firmware version, region, etc. It is worth noting that, when a new firmware image is uploaded, the device checks the version of the uploaded firmware by reading the metadata and checks the file integrity by summing all bytes of the file. More specific, the file integrity check is based on cyclic redundancy check (CRC). Such an integrity check can be easily bypassed as long as ensuring the modified firmware image has the same checksum with that as the original firmware image. For example, Fig. 1 and Fig. 2 are the fragments from the original firmware image and the modified firmware image, respectively. By modifying two bits, the modified firmware can bypass firmware verification successfully. Also, note that the communication uses the plain HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. An attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates. Specifically, the attacker can craft a malicious firmware image and replace the benign firmware image during the firmware update process via a MITM attack so that the malicious firmware image can be flashed into the device. ![](https://i.imgur.com/1BYAsUS.png) *Fig. 1. Firmware fragment before modification.* ![](https://i.imgur.com/WImfuIb.png) *Fig. 2. Firmware fragment after modification.*