# A Firmware Modification Attack Vulnerability in Netgear WNR2000 Router ## Affected Products: We have tested onWNR2000v1 (firmware version: and earlier). Also, we suspect it may also work on other models with similar firmware versions. ## Overview: An exploitable firmware modification vulnerability was discovered on the WNR2000v1 router. An attacker can conduct a MITM attack to modify the user-uploaded firmware image and bypass the CRC check. A successful attack can either introduce a backdoor or malware to the device or even make the device DoS. ## Details: The data integrity check mechanism of the firmware update function is based on the CRC check. However, such a check is easy to be bypassed. Specifically, An attacker could customize a malicious firmware image with the CRC checksum equal to 0. Thus the data integrity check can be passed. Also, the communication uses the plain HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. An attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide malicious firmware update images. Specifically, the attacker can change uploaded contents to the contents of a customized malicious firmware image after a user uploads a new firmware image. In this case, the user will think that they are installing a normal firmware image when in reality the malicious firmware is installed on the device. This could result in backdoor, malware, or backdoor attacks. The backend logs after launching the attack are listed below. From the logs, we can see that after the firmware image is replaced, the firmware verification can be bypassed and the firmware update process proceeds as if a normal firmware image is uploaded. ``` CGI POST TMPFILE is /tmp/filemF4bzZ toUpgradeVersion= firmware_version= 128+0 records in 128+0 records out /tmp/netgear-wnr2000-image crc_check ok ... begin to write kernel and rootfs, offset: 298 Writing from /tmp/netgear-wnr2000-image to /dev/mtd/3 ... [ ]w: 16384 [w]w: 32768 [w]w: 49152 [w]w: 65536 [w]w: 81920 [w]w: 98304 [w]w: 114688 [w]w: 131072 [w]w: 147456 [w]w: 163840 [w]w: 180224 [w]w: 196608 [w]w: 212992 … kernel write done! [ ]w: 16384 [w]w: 32768 [w]w: 49152 [w]w: 65536 [w]w: 81920 [w]w: 98304 [w]w: 114688 [w]w: 131072 [w]w: 147456 [w]w: 163840 [w]w: 180224 [w]w: 196608 … The system is going down NOW !! Sending SIGTERM to all processes. Exiting Syslogd! Sending SIGKILL to all processes. sys_reboot[PID: 4685 (reboot)]: magic1:fee1dead, magic2:28121969, cmd:1234567 sys_reboot: removed CAP_SYS_BOOT, starting init... ```