Two Vulnerabilities Regarding Firmware Updates in Netgear XWN5001 WiFi Access Point

# Two Vulnerabilities Regarding Firmware Updates in Netgear XWN5001 WiFi Access Point ## Affected Products We have tested on Netgear XWN5001 – Powerline 500 WiFi Access Point (firmware version: 0.4.1.1 and earlier). Also, we suspect it may also work on other models with similar firmware versions. ## Vulnerability #1 - Firmware Downgrade Attack ### Overview: An exploitable firmware downgrade vulnerability was discovered on the XWN5001 – Powerline 500 WiFi Access Point. A specially crafted firmware update file can allow an attacker to install firmware of an older version while the user thinks firmware of a newer version is being installed. An attacker can create a custom firmware update package with modified metadata in order to trigger this vulnerability. ### Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. The web interface uses HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. Therefore, the firmware update process is vulnerable to man-in-the-middle (MITM) attacks. For the firmware image, the first 128 bytes of the firmware image contain firmware metadata, including device model, firmware version, region, etc. It is worth noting that, when a new firmware image is uploaded, the device checks the version of the uploaded firmware by reading the metadata and checks the file integrity by summing all bytes of the file. Specifically, if the new version number is larger than the current version number and the sum of all bytes of the new firmware image equals -1, the version check and file integrity check can be passed. An attacker could prepare a malicious firmware image by extracting an old firmware image. Once extracted, the attacker could modify the version number to meet two requirements: 1) the version number is larger than the current version number; 2) the sum of the version number is equal to the original version number of the unmodified firmware image. For example, the current firmware version is v.0.4.1.1, an attacker can download a firmware image of version v.0.4.0.7 and modify the version number to v.0.4.1.6, thus meeting the above two requirements (see Fig. 1 for firmware header without modification and Fig. 2. for firmware header after modification). In this case, when performing the firmware update the user will think that they are installing a newer version of firmware when in reality version v.0.4.0.7 firmware is installed on the device. Note that the communication uses the plain HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. An attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates. This could allow more vulnerabilities in old versions of firmware to be introduced. ![](https://i.imgur.com/TGa3aui.png) *Fig. 1. Firmware header before modification.* ![](https://i.imgur.com/HaaCgDO.png "Firmware header after modification") *Fig. 2. Firmware header after modification.* ## Vulnerability #2 - Firmware Modification Attack ### Overview: An exploitable firmware modification attack vulnerability was discovered on the Netgear XWN5001 – Powerline 500 WiFi Access Point. The data integrity of the uploaded firmware image is ensured with a fixed checksum number. Therefore, an attacker can conduct a MITM attack to modify the user-uploaded firmware image and bypass the checksum verification. A successful attack can either introduce a backdoor or malware to the device or make the device DoS. ### Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. The web interface uses HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. Therefore, the firmware update process is vulnerable to man-in-the-middle (MITM) attacks. For the firwmare image, the first 128 bytes of the firmware image contain firmware metadata, including device model, firmware version, region, etc. It is worth noting that, when a new firmware image is uploaded, the device checks the version of the uploaded firmware by reading the metadata and checks the file integrity by summing all bytes of the file. Specifically, if the new version number is larger than the current version number and the sum of all bytes of the new firmware image equals -1, the version check and file integrity check can be passed. Such an integrity check can be easily bypassed as long as ensuring the modified firmware image has the same checksum with that as the original firmware image. For example, Fig. 3 and Fig. 4 are the fragments from the original firmware image and the modified firmware image, respectively. By modifying two bits, the modified firmware can bypass firmware verification successfully. An attacker can craft a malicious firmware image and replace the benign firmware image during the firmware update process via a MITM attack so that the malicious firmware image can be flashed into the device. ![](https://i.imgur.com/zSDGVMz.png) *Fig. 3. Firmware fragment before modification.* ![](https://i.imgur.com/RiU4FZA.png) *Fig. 4. Firmware fragment after modification.*