Pwn2Own Austin 2021 - Defeating the Netgear R6700v3

Published on 03 Apr 2022

Pwn2Own is a famous computer hacking contest which helds twice a year. It provides various targets for which hackers compete in order to hack them and get unprivileged access to it. It may feature industrial devices, routers, printers, smartphones or even cars and targets change for each event.

With a coworker of mine we took a glance at the Netgear R6700v3 and this blogpost is a quick recap on what we did. You can read our complete writeup here.

Basically there was a stack buffer overflow on a service which is being executed once during boot and once every 2 hours. The service downloads a file and parses it, and the vulnerability relies in the parser. If a malicious entity which could MitM the WAN side (in order to redirect a specific URL to their own), they could have used this vulnerability to take over your router.

A funny thing is that this is possible because the software inside uses curl to download the file to parse using the -k option... From the manual:

       -k, --insecure
              (TLS  SFTP  SCP)  By  default,  every  secure connection curl makes is verified to be secure before the transfer takes
              place. This option makes curl skip the verification step and proceed without checking.

The stack overflow was rather trivial to exploit as there was only partial ASLR, no PIE and no stack cookie. This is really astonishing that in 2021 such devices with so poor security mitigations are sold at a rather huge price (this router costs around 115€).

When writing this I just realised that Amazon even promotes it with their "compatible with Alexa".

Anyways it was a fun experience, I definitely recommend it!