Reverse Engineering a Netgear WNDR3800 Router

1337

After doing a lot of research yesterday and today I decided to try my hand at hacking a router. I had never done reversing on hardware before so this was a first.

Initially I wanted to reverse engineer my own device, the Motorola SBG6580 but sadly discovered that since it is a gateway device its firmware was not available to the public. If I wanted to upgrade the firmware I’d have needed to call Comcast to get them to upgrade for me. Bummer. So instead, in this post I will be reverse engineering a Netgear WNDR3800 router. According to security researcher Zachary Cutlip it contains the same miniDLNA file as the WNDR3700 router that is susceptible to SQL injections so let’s see if we can find it in the file system.

For this we will begin by using binwalk, an open-source firmware tool created by /dev/ttys0 used to analyze, extract and reverse engineer firmware images. Definitely check out /dev/ttys0’s blog if you’re interested in learning more in depth about reverse engineering embedded systems. Let’s open the firmware image in binwalk and scan the firmware image for file signatures.

# binwalk WNDR3800-V1.0.0.44.img

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
192       	0xC0      	Squashfs filesystem, big endian, version 3.0, size: 10986170 bytes, 1530 inodes, blocksize: 65536 bytes, created: Tue Dec  4 03:28:04 2012

Luckily we don’t get any false positive and it looks like only one signature was detected. We can see here that it uses SquashFS, a popular compressed, read-only file system used by embedded systems. This is good because SquashFS runs off the Linux Kernel and we all know how much we like Linux. It looks like it was created on big endian architecture as well.
As a side note, some other popular file systems you may see when you run binwalk on firmware include romfs, crampfs and jffs2 among many more. All of these file systems were designed with simplicity in mind. Typically embedded systems use slow CPUs, minimal memory and rely on obfuscation for security.

OK, now back to the firmware image: let’s extract the filesystem and navigate to the new directory made.

# binwalk -e WNDR3800-V1.0.0.44.img

DECIMAL   	HEX       	DESCRIPTION
-------------------------------------------------------------------------------------------------------------------
192       	0xC0      	Squashfs filesystem, big endian, version 3.0, size: 10986170 bytes, 1530 inodes, blocksize: 65536 bytes, created: Tue Dec  4 03:28:04 2012

# cd _WNDR3800-V1.0.0.44.img-4.extracted/ && ls
C0.squashfs  squashfs-root

Here we see binwalk extracted the SquashFS successfully and unpacked it conveniently in the same directory.
If we do a hexdump of the C0.squashfs file we can see the very first ascii string is ‘sqsh’.

00000000   73 71 73 68  00 00 05 FA  18 08 04 89  02 40 00 1F  C9 00 CB 00  70 00 8A 17  sqsh.........@......p...
00000018   70 08 04 87  00 03 00 00  8A CF 00 10  40 01 00 50  BD DE 44 00  00 00 00 33  p...........@..P..D....3
00000030   14 07 12 00  01 00 00 00  00 00 72 00  CB A5 14 00  00 00 00 00  A7 A2 BA 00  ..........r.............
00000048   00 00 00 00  A7 A2 B6 00  00 00 00 00  00 00 00 00  00 00 00 00  A7 31 7E 00  .....................1~.
00000060   00 00 00 00  A7 66 97 00  00 00 00 00  A7 A2 AE FF  FF FF FF FF  FF FF FF 00  .....f..................
00000078   3F 91 45 84  68 34 8A 09  0A 40 62 AE  9E 29 20 B2  FA 62 1E C3  68 B1 91 A7  ?.E.h4...@b..) ..b..h...
00000090   84 9A 28 6C  ED 3F B9 5A  5C CB EB 2C  F8 9F B2 F2  64 CD E9 9E  4B AE 35 04  ..(l.?.Z\..,....d...K.5.
000000A8   D9 ED B1 EA  62 33 BA 3B  E8 79 A4 8F  2F E8 F9 9A  A9 CE A9 71  C8 8C 27 10  ....b3.;.y../......q..'.
000000C0   23 51 38 C9  57 80 66 D8  65 60 E8 3C  8E 75 A6 F9  63 79 30 70  B5 85 E6 4C  #Q8.W.f.e`.<.u..cy0p...L
000000D8   47 43 AD 0E  FB 6A 75 5D  1E 9B 84 4A  02 24 6C 8F  EF 78 10 9C  3F 46 0A A3  GC...ju]...J.$l..x..?F..
000000F0   E0 0F 7B 07  F4 31 49 B9  92 CA 58 2D  F6 A6 22 1B  2F 53 A1 2E  E9 F2 FA C6  ..{..1I...X-.."./S......
00000108   7C AA 5E D9  49 98 D5 E0  A7 D0 95 99  3D 13 ED 09  BC B7 01 69  B6 C0 DF 2E  |.^.I.......=......i....
00000120   A1 0B FF 04  38 BA BB 49  C7 86 78 27  5D 7A 19 66  A6 76 1C 56  45 12 EA CD  ....8..I..x']z.f.v.VE...
00000138   98 5B 64 97  2E 9B B0 C2  CC 30 C4 37  28 4E 83 82  BA 3F D5 EE  C7 7C 03 21  .[d......0.7(N...?...|.!
00000150   83 28 46 0E  FA 31 A6 C2  96 15 32 46  A8 0D 7D 7D  1F 71 DE F8  DB A2 7B C4  .(F..1....2F..}}.q....{.
00000168   DC 04 85 A7  6C BA D0 BD  A8 60 D3 32  29 B1 45 11  6B CF 88 56  05 75 60 20  ....l....`.2).E.k..V.u`
00000180   CB 7C 30 8A  85 75 8B 66  F5 A6 45 D7  79 9C AB 9B  59 52 A0 7F  9D D8 E4 25  .|0..u.f..E.y...YR.....%

This is the SquashFS magic string in big endian order. If we were looking at a SquashFS file set to little endian order we would find ‘hsqs’ instead.

Let’s take a look inside the root directory and see what we find.

# cd squashfs-root/ && ls
bin                       dev  firmware_region  firmware_version  hardware_version  image  lib  module_name  proc  sbin  tmp  var
default_language_version  etc  firmware_time    hardware_id       home              jffs   mnt  opt          rom   sys   usr  www

Looks like we have a bunch of files and directories to play with! W00t. Now let’s find that miniDLNA file…

# find . -name "minidlna"
./usr/sbin/minidlna

Sure enough, there it is. Now let’s do some research to verify that this is exploitable. After looking online, this is what I find:

“MiniDLNA prior to v1.1.0 (http://sourceforge.net/projects/minidlna/)
is prone to a variety of issues which could be used to take control of
a host running this software.”

Cool. Let’s verify we have an early enough version on this router.

# strings minidlna | grep version
sqlite3_libversion
sqlite3_libversion_number
	-V print the version number
Starting ReadyDLNA version 1.0.19 [SQLite %s].
SQLite library is old.  Please use version 3.5.1 or newer.

Awesome.

Advertisements

One thought on “Reverse Engineering a Netgear WNDR3800 Router

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s