# A Firmware Downgrade Vulnerability in Netgear WNR2000 Router ## Affected Products: We have tested on WNR2000v1 (firmware version: 1.2.3.7 and earlier). Also, we suspect it may also work on other models with similar firmware versions. ## Overview: An exploitable firmware downgrade vulnerability was discovered on the WNR2000v1 router. An attacker can conduct a MITM attack to replace the user-uploaded firmware image with an old firmware image. ## Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. It is worth noting that, when a new firmware image is uploaded, the device checks the version of the uploaded firmware by reading the file name and extracting the firmware version from the file name. However, if an old firmware is uploaded with a file name from a new firmware image, the firmware verification can be passed. Note that the communication uses the plain HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. An attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide firmware update images with lower versions. Specifically, the attacker can change uploaded contents to the contents of an old firmware image without changing the file name field in the network package after a user uploads a new firmware image. In this case, the user will think that they are installing a newer version of firmware when in reality the old firmware is installed on the device. This could allow more vulnerabilities in old versions of firmware to be introduced. The backend logs after launching the attack are listed below. From the logs, we can see that after the firmware image is replaced, the firmware verification can be passed and the firmware update process proceeds as if a new firmware image is uploaded. ``` CGI POST TMPFILE is /tmp/filedsKbal toUpgradeVersion= firmware_version= 128+0 rurecords in 128+0 records out /tmp/netgear-wnr2000-image crc_check ok ... begin to write kernel and rootfs, offset: 298 Writing from /tmp/netgear-wnr2000-image to /dev/mtd/3 ... [ ]w: 16384 [w]w: 32768 [w]w: 49152 [w]w: 65536 [w]w: 81920 [w]w: 98304 [w]w: 114688 [w]w: 131072 [w]w: 147456 [w]w: 163840 [w]w: 180224 [w]w: 196608 [w]w: 212992 [w]w: 22937 … kernel write done! [ ]w: 16384 [w]w: 32768 [w]w: 49152 [w]w: 65536 [w]w: 81920 [w]w: 98304 [w]w: 114688 [w]w: 131072 [w]w: 147456 [w]w: 163840 … The system is going down NOW !! Sending SIGTERM to all processes. Exiting Syslogd! Jul 27 18:35:02 miniupnpd[485]: received signal 15, good-bye Sending SIGKILL to all processes. sys_reboot[PID: 4985 (reboot)]: magic1:fee1dead, magic2:28121969, cmd:1234567 sys_reboot: removed CAP_SYS_BOOT, starting init... ```