Netgear Nighthawk R6700 version 1.0.4.120 makes use of a hardcoded credential. It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encrypted/obfuscated. By extracting the configuration using readily available public tools, a user can reconfigure settings not intended to be manipulated, repackage the configuration, and restore a backup causing these settings to be changed.
Netgear Nighthawk R6700 routers are vulnerable to a critical security flaw due to a hardcoded credential used in the configuration backup/restore process. This allows attackers to extract, modify, and restore configuration backups, potentially leading to complete device compromise and network control.
Step 1: Configuration Extraction: An attacker obtains the configuration backup file from the vulnerable router using readily available public tools or techniques. This could involve exploiting other vulnerabilities or using default credentials if present.
Step 2: Configuration Decryption/De-obfuscation: The attacker uses the hardcoded credential to decrypt or de-obfuscate the configuration backup file. The specific method used for decryption/de-obfuscation would be determined by reverse engineering the firmware.
Step 3: Configuration Modification: The attacker modifies the configuration file. This could involve changing network settings, adding malicious rules, or creating backdoor accounts.
Step 4: Configuration Repackaging: The attacker repackages the modified configuration file, likely re-encrypting or re-obfuscating it using the same hardcoded credential.
Step 5: Configuration Restoration: The attacker uploads the modified configuration file to the router and initiates the restore process. The router, trusting the configuration file due to the hardcoded credential, applies the attacker's modifications.
The vulnerability stems from the use of a hardcoded credential within the Netgear R6700 firmware. This credential is used to encrypt/obfuscate the configuration backup files. However, the encryption/obfuscation is insufficient to prevent an attacker from extracting the configuration, modifying it, and restoring it. The root cause is the lack of proper authentication and authorization checks during the configuration restore process. The firmware trusts the configuration file, regardless of its origin, as long as it's encrypted with the hardcoded key. This allows attackers to inject malicious configurations, potentially enabling remote code execution, network manipulation, or denial-of-service attacks. The obfuscation is likely a simple, easily reversible method, not true encryption.