Automated Repair of Exploits in NETGEAR Router Binary

Router bugs are a significant issue, ranging from the bug in CISCO's IOS, which on February 16th caused outages in nearly every country worldwide [45], to security vulnerabilities in home routers like NEGEAR [10] or the recent D-Link bug [11]. Security bugs are particularly problematic, especially because major software vendors commonly delay releasing patches to security exploits. In a study of high and medium risk vulnerabilities in Microsoft and Apple products between 2002 and 2008, for example, about 10% of vulnerabilities were found not to be patched within 150 days of disclosure, and on any given date about 10 vulnerabilities and over 20 vulnerabilities were public and un-patched for Microsoft and Apple respectively [13].

Rather than waiting for vendor-delivered patches, we propose to repair reproducible exploits automatically, even when developer source code and test suites are not available. A user-produced patch could be installed temporarily for internal protection, redistributed with the exploit (reporting an exploit with a patch in hand has been shown to reduce the total number of attacks [1]), or sent to the software vendor to reduce development time for the official patch [41].

In recent years, a variety of automated methods for program repair have successfully repaired defects in real software (e.g., [33,25,21,32]). Automated repair methods based on evolutionary computation (EC) have also repaired defects directly in x86 and ARM ELF files, without access to program source code [36]. This prior work, however, relies on a regression test suite to define the required functionality, or informal specification, of the program under repair. Here we consider a setting in which neither source code nor test suites are available, and there is no special information or cooperation from the vendor.

We demonstrate our technique by patching multiple security vulnerabilities in the popular NETGEAR WNDR3700 wireless router, which at the time of submission NETGEAR has not publicly addressed. Although previous EC-based program repair techniques explicitly require access to a regression test suite, we explore the feasibility of performing repairs without any such test suite and find that for our example exploits, regression test suites are most often not necessary. In addition, we find that the complexity of security vulnerabilities requires iterative applications of repair edits within a single evolutionary run.

The main contributions of this short paper are;

• A novel technique suitable for automatically generating security repairs in routers without access to source code, regression test suites, or fault localization information; and
• An application of the approach to a real-world unpatched security exploit, resulting in
• The first demonstration of multiple iterative repairs in a single run of the evolutionary repair algorithm.

To encourage reproducible research [5,30] and to allow others to patch future exploits, we have published a companion open source repository ¹. It contains the instructions, source code, and tooling needed to extract, execute and repair the binary NETGEAR router image vulnerabilities, as well as the data used to generate the analyses and figures reported in this paper.

We hope that this work encourages users to patch important vulnerabilities quickly and researchers to release patches simultaneously with exploit announcements.

The remainder of the paper reviews two recent exploits of NETGEAR WNDR3700 (Section 2); demonstrates % the feasibility of running the NETGEAR firmware in a VM sandbox (Section 3.1); describes the automated program repair technique (Sections 3.2 and 3.3); evaluates effectiveness and quality of repairs (Section 4); summarizes related work (Section 5); and discusses implications and limitations (Section 6).

We describe two current exploits in version 4 of the NETGEAR WNDR3700 wireless router. The popularity of this router implies that vulnerable systems are currently widespread. For example, the "shodan" ² device search engine returned hundreds of vulnerable publicly accessible WNDR3700 routers at the time of writing. Both exploits exist in the router's internal web server in a binary executable named net-cgi, and both are related to how net-cgi handles authentication [10].

The vendor-deployed binary is insecure in at least two ways:

• Any URI starting with the string "BRS" bypasses authentication.
• Any URI including the substring "unauth.cgi" or "securityquestions.cgi" bypass authentication. This applies even to requests of the form http://router/page.html?foo=unauth.cgi, meaning that the vulnerability effectively applies to all internal webpages.

Many administrative pages start with the "BRS" string, providing attackers with access to personal information such as users passwords, and by accessing the page http://router/BRS_02_genieHelp.html attackers can disable authentication completely and permanently across reboots.

Our repair technique for this vulnerability consists of three stages:

1. Extract the binary executable from the firmware and reproduce the exploit (Section 3.1).
2. Use EC to search for repairs by applying random mutations (and crossover) to the stripped (without symbols or section tables) MIPS ELF binary (Section 3.2).
3. Construct test cases lazily, as needed, to improve the quality of unsatisfactory candidate repairs (Section 3.3).

The first step in repairing the net-cgi executable is to extract it and the router file system from the firmware image distributed by NETGEAR. Using the extracted files ystem and executable we construct a test harness that can exercise the exploits in net-cgi. This test harness is used by the repair algorithm to evaluate candidate repairs and to identify when repairs to the exploits have been found.

We first describe the experimental setup used to test the repair technique on the NETGEAR WNDR3700 exploit (Section 4.1). We then analyze the results of ten repair attempts (Section 4.2).

Evolutionary computation (EC) refers to the use of natural selection as a search heuristic [18,22]. EC techniques have been developed to operate directly on machine code [24], and more recently they have been applied to the problem of software source-code repair [25], optimization [39,37], and to repairing assembly code and binary ELF files [36]. In each of the repair scenarios, however, the technique relies on regression tests to preserve required functionality.

In addition to the EC methods mentioned above, Clearview [33] automatically patches errors in running binaries by learning invariants of running executables, and then reacting to attacks or bugs that invalidate the invariants by applying predefined patches.

The results presented here open up the possibility that end users could repair software exploits in closed source software without special information or aid from the software vendor.

There are several caveats associated with this initial work. First, we demonstrated repair on a single executable, and it is possible that the success in the absence of regression test suite will not generalize. However, our results do not appear to be based on any property unique to the NETGEAR exploits. We conjecture that our success at finding functional repairs in this setting is due to the beneficial impact of minimization and to a property of software known as mutational robustness [38]. Across a wide variety of software, this work found that the functionality of software mutants differs by only about 60% between software tested with an empty regression test suites and software tested with the best obtainable quality regression test suites. A second caveat arises from the fact that the NETGEAR exploit occured in a web interface rather than actual routing routines. Although security vulnerabilities are serious wherever they occur, an important area for future work is to explore repairs of other types of router bugs, importantly concurrency bugs. Finally, we demonstrated the repair running in a virtualized environment and not natively in the router. Although we did not test our repairs on physical NETGEAR WNDR3700 hardware, we are confident that our repairs would have the same effect on hardware as they do in emulation.

Software defined networking (SDN) and dedicated network debuggers [16] point to a future in which network bugs are more easily reproduced and tested. In this case, there will likely be increasing opportunity for techniques like the one presented here to quickly patch important network bugs.

Whenever a patch is distributed there a risk of someone reverse-engineering an exploit from the patch text [4]. As shown in Table 1 our technique sometimes generates patches that are not directly relevant to the repaired exploit. It may be possible to avoid this risk by generating obfuscated patches in cases where a regression test suite is available minimization is not performed.

The paper described a method that enables end users to repair networking software without cooperation from the software vendor. We demonstrate the method by repairing two security vulnerabilities in the popular NETGEAR WNDR3700 router, vulnerabilities that currently exist in many actively used devices and have not been addressed by NETGEAR. Our method does not require access to source code or a pre-existing regression test suite.

We thank Z. Cutlip, who analyzed and announced the NETGEAR exploits and helped us reproduce the exploits locally; M. Harmon, for discussions of automated program repair without a regression test suite; and S. Harding for suggesting the interactive lazy regression repair algorithm. Partial support of this work provided by NSF (SHF-0905236), DARPA (P-1070-113237), and the Santa Fe Institute.

[1]	Ashish Arora, Anand Nandkumar, and Rahul Telang. Does information security attack frequency increase with vulnerability disclosure? an empirical analysis. Information Systems Frontiers, 8(5):350-362, 2006. [ bib ]
[2]	Ashish Arora, Rahul Telang, and Hao Xu. Optimal policy for software vulnerability disclosure. Management Science, 54(4):642-656, 2008. [ bib ]
[3]	Fabrice Bellard. Qemu, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, pages 41-46, 2005. [ bib ]
[4]	David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In Security and Privacy, 2008. SP 2008. IEEE Symposium on, pages 143-157. IEEE, 2008. [ bib ]
[5]	Jonathan B Buckheit and David L Donoho. Wavelab and reproducible research. Springer, 1995. [ bib ]
[6]	Brian Cashell, William D Jackson, Mark Jickling, and Baird Webel. The economic impact of cyber-attacks. Congressional Research Service, Library of Congress, 2004. [ bib ]
[7]	TIS Committee et al. Tool interface standard (tis) executable and linking format (elf) specification version 1.2. TIS Committee, 1995. [ bib ]
[8]	Symantec Corporation. Internet security threat report. Technical report, Symantec Corporation, 2013. [ bib ]
[9]	Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, and Paul Barham. Vigilante: End-to-end containment of internet worm epidemics. ACM Transactions on Computer Systems (TOCS), 26(4):9, 2008. [ bib ]
[10]	Zachary Cutlip. Complete, persistent compromise of netgear wireless routers, October 2013. http://shadow-file.blogspot.com/2013/10/complete-persistent-compromise-of.html. [ bib ]
[11]	Dennis Fisher. D-link planning to patch router backdoor bug, October 2013. http://threatpost.com/d-link-planning-to-patch-router-backdoor-bug/102581. [ bib ]
[12]	Stephanie Forrest, ThanhVu Nguyen, Westley Weimer, and Claire Le Goues. A genetic programming approach to automated software repair. In Proceedings of the 11th Annual conference on Genetic and evolutionary computation, pages 947-954. ACM, 2009. [ bib ]
[13]	Stefan Frei, Bernhard Tellenbach, and Bernhard Plattner. 0-day patch exposing vendors (in) security performance. BlackHat Europe, Amsterdam, NL, 2008. [ bib ]
[14]	Claire Le Goues, Michael Dewey-Vogt, Stephanie Forrest, and Westley Weimer. A systematic study of automated program repairs: Fixing 55 out of 105 bugs for $8 each. In Software Engineering, 2012. ICSE 2012. IEEE, 2011. [ bib ]
[15]	Andy Greenberg. Oracle quietly releases fix for serious java security bug-months after it was reported, August 2012. http://www.forbes.com/sites/andygreenberg/2012/08/30/oracle-quietly-releases-fix-for-serious-java-security-bug-months-after-it-was-reported/. [ bib ]
[16]	Nikhil Handigol, Brandon Heller, Vimalkumar Jeyakumar, David Mazières, and Nick McKeown. Where is the debugger for my software-defined network? In Proceedings of the first workshop on Hot topics in software defined networks, pages 55-60. ACM, 2012. [ bib ]
[17]	John Hennessy, Norman Jouppi, Steven Przybylski, Christopher Rowen, Thomas Gross, Forest Baskett, and John Gill. Mips: A microprocessor architecture. ACM SIGMICRO Newsletter, 13(4):17-22, 1982. [ bib ]
[18]	John Henry Holland. Adaptation in natural and artificial systems: an introductory analysis with applications to biology, control, and artificial intelligence. The MIT press, 1992. [ bib ]
[19]	IEEE security and privacy, special issue on IT monocultures. Vol. 7, No. 1, Jan./Feb. 2009. [ bib ]
[20]	Robert O’Harrow Jr. Cyber search engine shodan exposes industrial control systems to new risks, June 2012. http://articles.washingtonpost.com/2012-06-03/news/35459595_1_computer-systems-desktop-computers-search-engine. [ bib ]
[21]	Dongsun Kim, Jaechang Nam, Jaewoo Song, and Sunghun Kim. Automatic patch generation learned from human-written patches. In Proceedings of the 2013 International Conference on Software Engineering, pages 802-811. IEEE Press, 2013. [ bib ]
[22]	John R. Koza. Genetic programming: On the programming of computers by means of natural selection, 1992. See http://miriad. Iip6. fr/microbes Modeling Adaptive Multi-Agent Systems Inspired by Developmental Biology, 229, 1992. [ bib ]
[23]	John R Koza, Martin A Keane, Jessen Yu, Forrest H Bennett III, and William Mydlowec. Automatic creation of human-competitive programs and controllers by means of genetic programming. Genetic Programming and Evolvable Machines, 1(1-2):121-164, 2000. [ bib ]
[24]	F. Kühling, K. Wolff, and P. Nordin. A brute-force approac to automatic induction of machine code on cisc architectures. Genetic Programming, pages 288-297, 2002. [ bib ]
[25]	Claire Le Goues, ThanhVu Nguyen, Stephanie Forrest, and Westley Weimer. GenProg: A generic method for automated software repair. Transactions on Software Engineering, 38(1):54-72, 2012. [ bib ]
[26]	Claire Le Goues, Westley Weimer, and Stephanie Forrest. Representations and operators for improving evolutionary software repair. In Proceedings of the fourteenth international conference on Genetic and evolutionary computation conference, pages 959-966. ACM, 2012. [ bib ]
[27]	Robert Lemos. Microsoft details new security plan, October 2003. http://news.cnet.com/Microsoft-details-new-security-plan/2100-1002_3-5088846.html. [ bib ]
[28]	P Lougher and R Lougher. Squashfs-a squashed read-only filesystem for linux, 2006. [ bib ]
[29]	Sean Luke. Essentials of Metaheuristics. Lulu, second edition, 2013. Available for free at http://cs.gmu.edu/~sean/book/metaheuristics/. [ bib ]
[30]	Jill P Mesirov. Accessible reproducible research. Science, 327(5964):415-416, 2010. [ bib ]
[31]	Barton P Miller, Louis Fredriksen, and Bryan So. An empirical study of the reliability of unix utilities. Communications of the ACM, 33(12):32-44, 1990. [ bib ]
[32]	Hoang Duong Thien Nguyen, Dawei Qi, Abhik Roychoudhury, and Satish Chandra. Semfix: Program repair via semantic analysis. In Proceedings of the 2013 International Conference on Software Engineering, pages 772-781. IEEE Press, 2013. [ bib ]
[33]	Jeff H Perkins, Sunghun Kim, Sam Larsen, Saman Amarasinghe, Jonathan Bachrach, Michael Carbin, Carlos Pacheco, Frank Sherwood, Stelios Sidiroglou, Greg Sullivan, et al. Automatically patching errors in deployed software. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, pages 87-102. ACM, 2009. [ bib ]
[34]	R. Poli, W.B. Langdon, and N.F. McPhee. A field guide to genetic programming. Lulu Enterprises Uk Ltd, 2008. [ bib ]
[35]	Eric Schulte, Dan Davison, Tom Dye, and Carsten Dominik. A multi-language computing environment for literate programming and reproducible research. Journal of Statistical Software, 46(3), January 2012. [ bib ]
[36]	Eric Schulte, Jonathan DiLorenzo, Westley Weimer, and Stephanie Forrest. Automated repair of binary and assembly programs for cooperating embedded devices. In Proceedings of the eighteenth international conference on Architectural Support for Programming Languages and Operating Systems. ACM, 2013. [ bib ]
[37]	Eric Schulte, Jonathan Dorn, Stephen Harding, Stephanie Forrest, and Westley Weimer. Post-compiler software optimization for reducing energy. In Proceedings of the nineteenth international conference on Architectural Support for Programming Languages and Operating Systems. ACM, 2014. [ bib ]
[38]	Eric Schulte, ZacharyP. Fry, Ethan Fast, Westley Weimer, and Stephanie Forrest. Software mutational robustness. Genetic Programming and Evolvable Machines, pages 1-32, 2013. [ bib ]
[39]	Pitchaya Sitthi-Amorn, Nicholas Modly, Westly Weimer, and Jason Lawrence. Genetic programming for shader simplification. ACM Transactions on Graphics (TOG), 30(6):152, 2011. [ bib ]
[40]	Yi Wei, Yu Pei, Carlo A. Furia, Lucas S. Silva, Stefan Buchholz, Bertrand Meyer, and Andreas Zeller. Automated fixing of programs with contracts. In International Symposium on Software Testing and Analysis, pages 61-72, 2010. [ bib ]
[41]	Westley Weimer. Patches as better bug reports. In Generative Programming and Component Engineering, pages 181-190, 2006. [ bib ]
[42]	Westley Weimer, ThanhVu Nguyen, Claire Le Goues, and Stephanie Forrest. Automatically finding patches using genetic programming. In Proceedings of the 31st International Conference on Software Engineering, pages 364-374. IEEE Computer Society, 2009. [ bib ]
[43]	Zuoning Yin, Ding Yuan, Yuanyuan Zhou, Shankar Pasupathy, and Lakshmi N. Bairavasundaram. How do fixes become bugs? In Foundations of Software Engineering, pages 26-36, 2011. [ bib ]
[44]	Andreas Zeller. Yesterday, my program worked. Today, it does not. Why? In Foundations of Software Engineering, pages 253-267, 1999. [ bib ]
[45]	Earl Zmijewski. Reckless driving on the internet, February 2009. http://www.renesys.com/2009/02/the-flap-heard-around-the-world/. [ bib ]