Home / vulnerabilities Netgear DGNv2200 Authorization Bypass / Command Injection
Posted on 21 March 2016
Source : packetstormsecurity.org Link
Disclosure timeline
===================
February 10th, 2016: discovered 3 issues: memory corruption, authorization
bypass, CSRF.
February 10th, 2016; supplying technical details to Netgear, including POC
code.
February 12th, 2016: Netgear's response - they said that only the Bezeq
firmware is vulneable.
February 13th, 2016: discovering command injection vulnerability, updating
Netgear.
February 14th, 2016: contacted Bezeq.
February 21st, 2016: Bezeq acknowledged.
March 3rd, 2016: Bezeq's firsty hotfix to authorization bypass
vulnerability.
March 20th, 2016: disclosure, assigned DWF-2016-91000.
Technical details
=============
This firmware might reside in Netgear's own firmware as well, but was found
on Bezeq firmware (custom). Issues:
1. HTTP Authorization bypass: by supplying "ess_" in the URL, authorization
is not validated.
2. Command injection: the ping utility allows an attacker to run arbitrary
command via the "system" API, by injecting either a pipe or backticks.
3. CSRF exposure.
4. Possible memory corruption: the basic authorization username is copied
via unsafe strcpy to a global variable.
Blog post and POC code
=====================
http://securitygodmode.blogspot.com