NetUSB flaw leaves 'millions' of routers, IoT devices vulnerable to hacking

The flaw can be exploited to conduct denial-of-service attacks or remote hijacking.
Written by Charlie Osborne, Contributing Writer

Potentially millions of routers and Internet-of-Things devices have been placed at risk of hijacking due to a stack buffer overflow security flaw.

According to researcher Stefan Viehbock from SEC Consult Vulnerability Lab, the vulnerability, CVE-2015-3036, allows for an unauthenticated attacker on a local network to trigger a kernel stack buffer overflow which causes denial-of-service or permits remote code execution. In addition, some router configurations may allow remote attacks.

The security advisory says the vulnerability is remotely exploitable due to "insufficient input validation," and so an overly long computer name can be used to overflow the "computer name" kernel stack buffer.

Memory corruption then occurs, which can be twisted into remote code execution. Viehbock writes:

"The authentication is entirely useless as the AES keys are static and can be found in the kernel driver as well as in the client software for Windows and OS X. As part of the connection initiation, the client sends his computer name.

By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. Easy as a pie, the '90s are calling and want their vulns back, stack buffer overflow. All the server code runs in kernel mode, so this is a "rare" remote kernel stack buffer overflow."

KCode-developed NetUSB, used in a plethora of popular routers available commercially, is used to provide USB over IP functionality. USB devices including printers and flash drivers, plugged into a Linux-based system, can be granted network access over TCP port 20005 through the technology.

Routers, access points and dedicated USB over IP boxes often use this proprietary software.

Viehbock says the NetUSB feature was enabled in all devices which underwent testing, and servers still ran even when no USB device was plugged in.

TP-Link, D-Link, Trendnet, Netgear and Zyxel routers have been named and the existence of the vulnerability confirmed in the most recent firmware versions. TP-Link has already issued patches for some of its router products and others are planned before the end of the month.

The researcher also believes that many other routers are affected by the vulnerability, including those offered by Allnet, IOGEAR, LevelOne, Western Digital and PCI.

In total, 26 vendor names were referenced in the file "NetUSB. inf," part of the client driver setup for Windows -- which is likely due to these vendors licensing KCodes technology, and therefore exposing them to the security flaw. After analyzing firmware images, the research team found 92 products which contain NetUSB code -- although the analysis did not include every router product offered by the vendors.

Viehbock attempted to contact KCodes to address the flaw before disclosing the security issue in public. In February this year, the security researcher contacted the developer of NetUSB and received no response. A month later, the vendor responded in a confusing manner, requesting "fix verification." Later in March, a conference call was scheduled and both an advisory and proof-of-concept demo was issued to Netgear and TP-Link. The conference call is cancelled, and coordination between vendors began in late March before the vulnerability was disclosed.

There is sometimes the option to disable NetUSB on some routers, but according to Netgear, there is no true workaround available on its products as TCP ports remain open even when firewalled. The only thing to do, therefore, is wait for patches.

In related news, a security researcher has posted a security advisory on Full Dusclosure relating to the ZTE AC 3633R USB modem. According to the advisory, the modem is vulnerable to authentication bypass and device crashes when in reboot due to an input of a string of characters 121 in length -- either in the username or password fields. This triggers a bypass of the authentication mechanism or a crash.

Editorial standards