NETGEAR's WNDR3700 [1] is a very popular wireless router. Version 4 of the WNDR3700 contains exploits allowing unauthenticated users to change administrative options and completely disable authentication across reboots (see [2] for a full description of the exploits).
We fixed these exploits using a method of automated program repair which operates directly on binary ELF files and requires no access to source code [3]. This fix was found before NETGEAR addressed these exploits---to my knowledge NETGEAR has not yet patched these exploits in the latest release of the firmware 1.0.1.42 as of 2013-11-19.
The exploits exist in the WNDR3700's web interface. A single ELF executable CGI file serves this interface and applies configuration changes made using the interface to the router. Using copies of the NETGEAR firmware running in virtual machines to evaluate the fitness of candidate repairs, our technique discovered changes to this ELF file which patch the exploits described in [2].
This repository contains the instructions, code, and tooling used to develop this repair. These tools may be used to automatically change the behavior other binary ELF executables, making it possible to fix customize and alter binaries executables without any aid from the software's developer.
An article describing the exploit, the repair technique, its application, and the repairs found is available at [4]. Source code and step by step instructions required to reproduce this repair are given in [5] and [6] respectively.
Thanks to Zachary Cutlip for help reproducing these exploits in a VM.
Footnotes:
[1] http://www.netgear.com/home/products/networking/wifi-routers/wndr3700.aspx
[2] http://shadow-file.blogspot.com/2013/10/complete-persistent-compromise-of.html
[3] http://cs.unm.edu/~eschulte/data/schulte2013embedded.pdf
[4] http://eschulte.github.io/netgear-repair/pub/netgear-repair.html
[5] http://github.com/eschulte/netgear-repair
[6] INSTRUCTIONS