var-201305-0436
Vulnerability from variot
NetGear DGN1000B and DGN2200 are both router products of NetGear. A remote authentication bypass vulnerability exists in Netgear DGN1000 and DGN2200 devices. A remote attacker could use this vulnerability to bypass the authentication mechanism with elevated privileges to execute arbitrary commands in the context of the affected device. Vulnerabilities exist in the following versions: NetGear DGN1000 runs firmware versions prior to 1.1.00.48, and Netgear DGN2200 v1. Unauthenticated command execution on Netgear DGN devices ========================================================
[ADVISORY INFORMATION] Title: Unauthenticated command execution on Netgear DGN devices Discovery date: 01/05/2013 Release date: 31/05/2013 Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)
[VULNERABILITY INFORMATION] Class: Authentication bypass, command execution
[AFFECTED PRODUCTS] This security vulnerability affects the following products and firmware versions: * Netgear DGN1000, firmware version < 1.1.00.48 * Netgear DGN2200 v1 Other products and firmware versions are probably also vulnerable, but they were not checked.
Briefly, the embedded web server skips authentication checks for some URLs containing the "currentsetting.htm" substring. As an example, the following URL can be accessed even by unauthenticated attackers:
http:///setup.cgi?currentsetting.htm=1
Then, the "setup.cgi" page can be abused to execute arbitrary commands. As an example, to read the /www/.htpasswd local file (containing the clear-text password for the "admin" user), an attacker can access the following URL:
http:///setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/¤tsetting.htm=1
Basically this URL leverages the "syscmd" function of the "setup.cgi" script to execute arbitrary commands. In the example above the command being executed is "cat /www/.htpasswd", and the output is displayed in the resulting web page. Slightly variations of this URL can be used to execute arbitrary commands. According to Netgear, DGN2200 v1 is not supported anymore, while v3 and v4 should not be affected by this issue; these versions were not tested by the author.
[DISCLAIMER] The author is not responsible for the misuse of the information provided in this security advisory. The advisory is a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "dgn1000b wireless router",
"scope": "lte",
"trust": 0.6,
"vendor": "netgear",
"version": "\u003c=1.1.00.48"
},
{
"_id": null,
"model": "dgn2200",
"scope": null,
"trust": 0.6,
"vendor": "netgear",
"version": null
},
{
"_id": null,
"model": "dgn2200v1",
"scope": "eq",
"trust": 0.3,
"vendor": "netgear",
"version": "0"
},
{
"_id": null,
"model": "dgn1000",
"scope": "eq",
"trust": 0.3,
"vendor": "netgear",
"version": "1.1.00.41"
},
{
"_id": null,
"model": "dgn1000",
"scope": "ne",
"trust": 0.3,
"vendor": "netgear",
"version": "1.1.00.48"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
},
{
"db": "BID",
"id": "60281"
}
]
},
"credits": {
"_id": null,
"data": "Roberto Paleari",
"sources": [
{
"db": "BID",
"id": "60281"
},
{
"db": "PACKETSTORM",
"id": "121860"
},
{
"db": "CNNVD",
"id": "CNNVD-201306-024"
}
],
"trust": 1.0
},
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "CNVD",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CNVD-2013-06934",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.6,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "CNVD",
"id": "CNVD-2013-06934",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
}
]
},
"description": {
"_id": null,
"data": "NetGear DGN1000B and DGN2200 are both router products of NetGear. \nA remote authentication bypass vulnerability exists in Netgear DGN1000 and DGN2200 devices. A remote attacker could use this vulnerability to bypass the authentication mechanism with elevated privileges to execute arbitrary commands in the context of the affected device. Vulnerabilities exist in the following versions: NetGear DGN1000 runs firmware versions prior to 1.1.00.48, and Netgear DGN2200 v1. Unauthenticated command execution on Netgear DGN devices\n========================================================\n\n[ADVISORY INFORMATION]\nTitle:\t\tUnauthenticated command execution on Netgear DGN devices\nDiscovery date: 01/05/2013\nRelease date: 31/05/2013\nCredits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)\n\n[VULNERABILITY INFORMATION]\nClass: \t Authentication bypass, command execution\n\n[AFFECTED PRODUCTS]\nThis security vulnerability affects the following products and firmware\nversions:\n * Netgear DGN1000, firmware version \u003c 1.1.00.48\n * Netgear DGN2200 v1\nOther products and firmware versions are probably also vulnerable, but they\nwere not checked. \n\nBriefly, the embedded web server skips authentication checks for some URLs\ncontaining the \"currentsetting.htm\" substring. As an example, the following URL\ncan be accessed even by unauthenticated attackers:\n\nhttp://\u003ctarget-ip-address\u003e/setup.cgi?currentsetting.htm=1\n\nThen, the \"setup.cgi\" page can be abused to execute arbitrary commands. As an\nexample, to read the /www/.htpasswd local file (containing the clear-text\npassword for the \"admin\" user), an attacker can access the following URL:\n\nhttp://\u003ctarget-ip-address\u003e/setup.cgi?next_file=netgear.cfg\u0026todo=syscmd\u0026cmd=cat+/www/.htpasswd\u0026curpath=/\u0026currentsetting.htm=1\n\nBasically this URL leverages the \"syscmd\" function of the \"setup.cgi\" script to\nexecute arbitrary commands. In the example above the command being executed is\n\"cat /www/.htpasswd\", and the output is displayed in the resulting web\npage. Slightly variations of this URL can be used to execute arbitrary\ncommands. According to Netgear, DGN2200 v1 is not supported anymore, while v3\nand v4 should not be affected by this issue; these versions were not tested by\nthe author. \n\n[DISCLAIMER]\nThe author is not responsible for the misuse of the information provided in\nthis security advisory. The advisory is a service to the professional security\ncommunity. There are NO WARRANTIES with regard to this information. Any\napplication or distribution of this information constitutes acceptance AS IS,\nat the user\u0027s own risk. This information is subject to change without notice",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
},
{
"db": "CNNVD",
"id": "CNNVD-201306-024"
},
{
"db": "BID",
"id": "60281"
},
{
"db": "PACKETSTORM",
"id": "121860"
}
],
"trust": 1.44
},
"external_ids": {
"_id": null,
"data": [
{
"db": "BID",
"id": "60281",
"trust": 1.5
},
{
"db": "PACKETSTORM",
"id": "121860",
"trust": 0.7
},
{
"db": "CNVD",
"id": "CNVD-2013-06934",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-201306-024",
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
},
{
"db": "BID",
"id": "60281"
},
{
"db": "PACKETSTORM",
"id": "121860"
},
{
"db": "CNNVD",
"id": "CNNVD-201306-024"
}
]
},
"id": "VAR-201305-0436",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
}
],
"trust": 1.3441369
},
"iot_taxonomy": {
"_id": null,
"data": [
{
"category": [
"Network device"
],
"sub_category": null,
"trust": 0.6
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
}
]
},
"last_update_date": "2022-05-17T02:09:06.781000Z",
"patch": {
"_id": null,
"data": [
{
"title": "Multiple Netgear DGN devices remote authentication bypass vulnerability patch",
"trust": 0.6,
"url": "https://www.cnvd.org.cn/patchinfo/show/34542"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 0.6,
"url": "http://packetstormsecurity.com/files/121860/netgeardgn-bypassexec.txt"
},
{
"trust": 0.6,
"url": "http://www.securityfocus.com/bid/60281"
},
{
"trust": 0.3,
"url": "http://www.netgear.com/service-provider/products/routers-and-gateways/dsl-gateways/dgn1000.aspx#"
},
{
"trust": 0.3,
"url": "http://www.netgear.com/service-provider/products/routers-and-gateways/dsl-gateways/dgn2200.aspx#"
},
{
"trust": 0.3,
"url": "http://seclists.org/bugtraq/2013/jun/8"
},
{
"trust": 0.1,
"url": "http://\u003ctarget-ip-address\u003e/setup.cgi?next_file=netgear.cfg\u0026todo=syscmd\u0026cmd=cat+/www/.htpasswd\u0026curpath=/\u0026currentsetting.htm=1"
},
{
"trust": 0.1,
"url": "http://\u003ctarget-ip-address\u003e/setup.cgi?currentsetting.htm=1"
}
],
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
},
{
"db": "BID",
"id": "60281"
},
{
"db": "PACKETSTORM",
"id": "121860"
},
{
"db": "CNNVD",
"id": "CNNVD-201306-024"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "CNVD",
"id": "CNVD-2013-06934",
"ident": null
},
{
"db": "BID",
"id": "60281",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "121860",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201306-024",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2013-06-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-06934",
"ident": null
},
{
"date": "2013-05-31T00:00:00",
"db": "BID",
"id": "60281",
"ident": null
},
{
"date": "2013-06-03T23:08:27",
"db": "PACKETSTORM",
"id": "121860",
"ident": null
},
{
"date": "2013-05-31T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201306-024",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2013-06-08T00:00:00",
"db": "CNVD",
"id": "CNVD-2013-06934",
"ident": null
},
{
"date": "2013-05-31T00:00:00",
"db": "BID",
"id": "60281",
"ident": null
},
{
"date": "2013-06-05T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201306-024",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201306-024"
}
],
"trust": 0.6
},
"title": {
"_id": null,
"data": "Multiple Netgear DGN Device Remote Authentication Bypass Vulnerabilities",
"sources": [
{
"db": "CNVD",
"id": "CNVD-2013-06934"
}
],
"trust": 0.6
},
"type": {
"_id": null,
"data": "Access Validation Error",
"sources": [
{
"db": "BID",
"id": "60281"
}
],
"trust": 0.3
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.