分析如下漏洞:
https://www.cve.org/CVERecord?id=CVE-2025-4980
整体步骤在ubuntu22.04下完成
- 下载固件
https://kb.netgear.com/23510/DGND3700v2-Firmware-Version-1-1-00-15-NA-Users
下载到一个zip包:DGND3700v2h1_V1.1.00.15_1.00.15_NA.zip
- 解压压缩包
shell
unzip DGND3700v2h1_V1.1.00.15_1.00.15_NA.zip解压后得到img文件:DGND3700v2h1_V1.1.00.15_1.00.15_NA.img
- binwalk提取img
shell
binwalk -e DGND3700v2h1_V1.1.00.15_1.00.15_NA.img得到如下文件夹:_DGND3700v2h1_V1.1.00.15_1.00.15_NA.img.extracted
文件夹中含有如下文件:200.zip, DGND3700v2.bin
- binwalk提取bin
shell
binwalk -e DGND3700v2.bin输出:
shell
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
16314 0x3FBA Sercomm firmware signature, version control: 0, download control: 256, hardware ID: "ABL", hardware version: 0x4100, firmware version: 0x15, starting code segment: 0x0, code size: 0x7300
16384 0x4000 JFFS2 filesystem, big endian提取后的内容存储到如下文件夹
_DGND3700v2.bin.extracted/文件夹中即是从固件中提取到的文件(整个文件系统):
shell
(base) ubuntu@ubuntu:/tmp/_DGND3700v2h1_V1.1.00.15_1.00.15_NA.img.extracted$ ll _DGND3700v2.bin.extracted/
total 31740
drwxrwxr-x 3 ubuntu ubuntu 4096 Jun 18 21:34 ./
drwxrwxr-x 3 ubuntu ubuntu 4096 Jun 18 21:34 ../
-rw-rw-r-- 1 ubuntu ubuntu 32489472 Jun 18 21:34 4000.jffs2
drwxrwxr-x 12 ubuntu ubuntu 4096 Jun 18 21:34 jffs2-root/
(base) ubuntu@ubuntu:/tmp/_DGND3700v2h1_V1.1.00.15_1.00.15_NA.img.extracted$ ll _DGND3700v2.bin.extracted/jffs2-root/
total 1796
drwxrwxr-x 12 ubuntu ubuntu 4096 Jun 18 21:34 ./
drwxrwxr-x 3 ubuntu ubuntu 4096 Jun 18 21:34 ../
-rwxr-xr-x 1 ubuntu ubuntu 253680 Jun 18 21:34 cferam*
drwxrwxr-x 10 ubuntu ubuntu 4096 Jun 18 21:34 config/
drwxrwxr-x 2 ubuntu ubuntu 4096 Jun 18 21:34 dev/
lrwxrwxrwx 1 ubuntu ubuntu 9 Jun 18 21:34 etc -> /dev/null
drwxrwxr-x 2 ubuntu ubuntu 4096 Jun 18 21:34 home/
-rwxr-xr-x 1 ubuntu ubuntu 4 Jun 18 21:34 kernel_cksum*
drwxrwxr-x 4 ubuntu ubuntu 4096 Jun 18 21:34 lib/
drwxrwxr-x 2 ubuntu ubuntu 4096 Jun 18 21:34 mnt/
drwxrwxr-x 2 ubuntu ubuntu 4096 Jun 18 21:34 proc/
lrwxrwxrwx 1 ubuntu ubuntu 9 Jun 18 21:34 sbin -> usr/sbin//
drwxrwxr-x 2 ubuntu ubuntu 4096 Jun 18 21:34 sys/
drwxrwxr-x 2 ubuntu ubuntu 4096 Jun 18 21:34 tmp/
drwxrwxr-x 8 ubuntu ubuntu 4096 Jun 18 21:34 usr/
lrwxrwxrwx 1 ubuntu ubuntu 9 Jun 18 21:34 var -> /dev/null
-rw-r--r-- 1 ubuntu ubuntu 1514158 Jun 18 21:34 vmlinux.lz
lrwxrwxrwx 1 ubuntu ubuntu 9 Jun 18 21:34 www -> /dev/null
drwxrwxr-x 8 ubuntu ubuntu 20480 Jun 18 21:34 www.eng/- 找到mini_http的位置
shell
(base) ubuntu@ubuntu:/tmp/_DGND3700v2h1_V1.1.00.15_1.00.15_NA.img.extracted/_DGND3700v2.bin.extracted/jffs2-root$ find . -name "*http*"
./lib/modules/ipt_http_string.ko
./usr/sbin/rc_app/rc_httpd
./usr/sbin/rc_app/rc_smb_http_en_chk
./usr/sbin/mini_httpd
./usr/etc/mini_httpd.pem- 对mini_http逆向
参考原始漏洞分析文章
用IDA定位到相应的位置
该漏洞的原理是:Netgear使用mini_http来处理HTTP请求,当访问currentsetting.htm时,全局变量dword_41EF20会被设置为1,以此将该页面标记为特殊页面。
至此,完成一次该固件的逆向与漏洞定位。