Sign-up

ID

VAR-201305-0436


TITLE

Multiple Netgear DGN Device Remote Authentication Bypass Vulnerabilities

Trust: 0.6

sources: CNVD: CNVD-2013-06934

DESCRIPTION

NetGear DGN1000B and DGN2200 are both router products of NetGear. A remote authentication bypass vulnerability exists in Netgear DGN1000 and DGN2200 devices. A remote attacker could use this vulnerability to bypass the authentication mechanism with elevated privileges to execute arbitrary commands in the context of the affected device. Vulnerabilities exist in the following versions: NetGear DGN1000 runs firmware versions prior to 1.1.00.48, and Netgear DGN2200 v1. Unauthenticated command execution on Netgear DGN devices ======================================================== [ADVISORY INFORMATION] Title: Unauthenticated command execution on Netgear DGN devices Discovery date: 01/05/2013 Release date: 31/05/2013 Credits: Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari) [VULNERABILITY INFORMATION] Class: Authentication bypass, command execution [AFFECTED PRODUCTS] This security vulnerability affects the following products and firmware versions: * Netgear DGN1000, firmware version < 1.1.00.48 * Netgear DGN2200 v1 Other products and firmware versions are probably also vulnerable, but they were not checked. Briefly, the embedded web server skips authentication checks for some URLs containing the "currentsetting.htm" substring. As an example, the following URL can be accessed even by unauthenticated attackers: http://<target-ip-address>/setup.cgi?currentsetting.htm=1 Then, the "setup.cgi" page can be abused to execute arbitrary commands. As an example, to read the /www/.htpasswd local file (containing the clear-text password for the "admin" user), an attacker can access the following URL: http://<target-ip-address>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/&currentsetting.htm=1 Basically this URL leverages the "syscmd" function of the "setup.cgi" script to execute arbitrary commands. In the example above the command being executed is "cat /www/.htpasswd", and the output is displayed in the resulting web page. Slightly variations of this URL can be used to execute arbitrary commands. According to Netgear, DGN2200 v1 is not supported anymore, while v3 and v4 should not be affected by this issue; these versions were not tested by the author. [DISCLAIMER] The author is not responsible for the misuse of the information provided in this security advisory. The advisory is a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice

Trust: 1.44

sources: CNVD: CNVD-2013-06934 // CNNVD: CNNVD-201306-024 // BID: 60281 // PACKETSTORM: 121860

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2013-06934

AFFECTED PRODUCTS

vendor:netgearmodel:dgn1000b wireless routerscope:lteversion:<=1.1.00.48

Trust: 0.6

vendor:netgearmodel:dgn2200scope: - version: -

Trust: 0.6

vendor:netgearmodel:dgn2200v1scope:eqversion:0

Trust: 0.3

vendor:netgearmodel:dgn1000scope:eqversion:1.1.00.41

Trust: 0.3

vendor:netgearmodel:dgn1000scope:neversion:1.1.00.48

Trust: 0.3

sources: CNVD: CNVD-2013-06934 // BID: 60281

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD: CNVD-2013-06934
value: MEDIUM

Trust: 0.6

CNVD: CNVD-2013-06934
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2013-06934

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-024

TYPE

Access Validation Error

Trust: 0.3

sources: BID: 60281

PATCH

title:Multiple Netgear DGN devices remote authentication bypass vulnerability patchurl:https://www.cnvd.org.cn/patchinfo/show/34542

Trust: 0.6

sources: CNVD: CNVD-2013-06934

EXTERNAL IDS

db:BIDid:60281

Trust: 1.5

db:PACKETSTORMid:121860

Trust: 0.7

db:CNVDid:CNVD-2013-06934

Trust: 0.6

db:CNNVDid:CNNVD-201306-024

Trust: 0.6

sources: CNVD: CNVD-2013-06934 // BID: 60281 // PACKETSTORM: 121860 // CNNVD: CNNVD-201306-024

REFERENCES

url:http://packetstormsecurity.com/files/121860/netgeardgn-bypassexec.txt

Trust: 0.6

url:http://www.securityfocus.com/bid/60281

Trust: 0.6

url:http://www.netgear.com/service-provider/products/routers-and-gateways/dsl-gateways/dgn1000.aspx#

Trust: 0.3

url:http://www.netgear.com/service-provider/products/routers-and-gateways/dsl-gateways/dgn2200.aspx#

Trust: 0.3

url:http://seclists.org/bugtraq/2013/jun/8

Trust: 0.3

url:http://<target-ip-address>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=cat+/www/.htpasswd&curpath=/&currentsetting.htm=1

Trust: 0.1

url:http://<target-ip-address>/setup.cgi?currentsetting.htm=1

Trust: 0.1

sources: CNVD: CNVD-2013-06934 // BID: 60281 // PACKETSTORM: 121860 // CNNVD: CNNVD-201306-024

CREDITS

Roberto Paleari

Trust: 1.0

sources: BID: 60281 // PACKETSTORM: 121860 // CNNVD: CNNVD-201306-024

SOURCES

db:CNVDid:CNVD-2013-06934
db:BIDid:60281
db:PACKETSTORMid:121860
db:CNNVDid:CNNVD-201306-024

LAST UPDATE DATE

2022-05-17T02:09:06.781000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2013-06934date:2013-06-08T00:00:00
db:BIDid:60281date:2013-05-31T00:00:00
db:CNNVDid:CNNVD-201306-024date:2013-06-05T00:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2013-06934date:2013-06-08T00:00:00
db:BIDid:60281date:2013-05-31T00:00:00
db:PACKETSTORMid:121860date:2013-06-03T23:08:27
db:CNNVDid:CNNVD-201306-024date:2013-05-31T00:00:00