Netgear DGNv2200 Authorization Bypass / Command Injection
Posted on 30 November -0001
<HTML><HEAD><TITLE>Netgear DGNv2200 Authorization Bypass / Command Injection</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Disclosure timeline =================== February 10th, 2016: discovered 3 issues: memory corruption, authorization bypass, CSRF. February 10th, 2016; supplying technical details to Netgear, including POC code. February 12th, 2016: Netgear's response - they said that only the Bezeq firmware is vulneable. February 13th, 2016: discovering command injection vulnerability, updating Netgear. February 14th, 2016: contacted Bezeq. February 21st, 2016: Bezeq acknowledged. March 3rd, 2016: Bezeq's firsty hotfix to authorization bypass vulnerability. March 20th, 2016: disclosure, assigned DWF-2016-91000. Technical details ============= This firmware might reside in Netgear's own firmware as well, but was found on Bezeq firmware (custom). Issues: 1. HTTP Authorization bypass: by supplying "ess_" in the URL, authorization is not validated. 2. Command injection: the ping utility allows an attacker to run arbitrary command via the "system" API, by injecting either a pipe or backticks. 3. CSRF exposure. 4. Possible memory corruption: the basic authorization username is copied via unsafe strcpy to a global variable. Blog post and POC code ===================== http://securitygodmode.blogspot.com</BODY></HTML>
