Netgear DGNv2200 Authorization Bypass / Command Injection

2016.03.22
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

Disclosure timeline =================== February 10th, 2016: discovered 3 issues: memory corruption, authorization bypass, CSRF. February 10th, 2016; supplying technical details to Netgear, including POC code. February 12th, 2016: Netgear's response - they said that only the Bezeq firmware is vulneable. February 13th, 2016: discovering command injection vulnerability, updating Netgear. February 14th, 2016: contacted Bezeq. February 21st, 2016: Bezeq acknowledged. March 3rd, 2016: Bezeq's firsty hotfix to authorization bypass vulnerability. March 20th, 2016: disclosure, assigned DWF-2016-91000. Technical details ============= This firmware might reside in Netgear's own firmware as well, but was found on Bezeq firmware (custom). Issues: 1. HTTP Authorization bypass: by supplying "ess_" in the URL, authorization is not validated. 2. Command injection: the ping utility allows an attacker to run arbitrary command via the "system" API, by injecting either a pipe or backticks. 3. CSRF exposure. 4. Possible memory corruption: the basic authorization username is copied via unsafe strcpy to a global variable. Blog post and POC code ===================== http://securitygodmode.blogspot.com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top