Abroad a large cattle study found that the NetGear router wndr3700v4 firmware authenticate the existence of the vulnerability. Once the Web interface authentication bypass, and follow-up can be done things will be a lot.
NetGear wndr3700v4 firmware there is an executable script net-cgi, and this functions much like a busy-box. So there are a lot of places you can study, here we compare the interest is cmd_ping6() this module.
This function uses char *host function to work, the main function is by machine name or IPv6 to carry out the ping operation. This is a very common function, but this firmware is inside, it uses sprintf()this function, which will be the string copied to the shell command to execute, and this is one of the most simple buffer overflow vulnerabilities,in the end he will be the contents of the input passed to system()this function is to execute.
What if the user does not use IPv6? It's okay, as long as the command is system()implemented, the tube which the ping command is successful implementation of dry hair?
Look back, this loophole is how to produce.
cmd_ping6()by cgi_commit()call, cgi_commit()by sub_4052d0()call.
Page execution time, is used ping6_traceroute6_hidden_info. htm this page.
We try to perform some little command to test it:
Although it is a small test, but the effect is immediate, even if it is remote, you can easily know whether the command executed successfully.
With this vulnerability, a large foreign cattle using Python to write out a EXP, this EXP is mainly perform the following functions:
Download EXP: the
Run the EXP need to install the Bowcaster is.
United States network company-NETGEAR Inc. （NETGEAR in 1 9 9 6 year 1 on the creation, long-term commitment to small and medium-sized enterprise users and SOHO users to provide easy-to-use and with powerful features of integrated network solutions. Headquartered in Silicon Valley, California Santa Clara, with operations in many countries and regions, is the U.S. high-tech companies for the eighth consecutive year the fastest growing 5 0 home one, and in 2 0 0 3 year as the only computer network company in the U.S. Nasdaq stock exchange successful market Ticker: NTGR of.