[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Netgear DGNv2200 multiple vulnerabilities (Bezeq firmware)
From: 0x3d5157636b525761 iddqd <0x3d5157636b525761 () gmail ! com>
Date: 2016-03-20 11:21:38
Message-ID: CANJpe11hbn3P+Ep-OtuX106P7WPD+UA+mWh-OEkKGgBGmddX4g () mail ! gmail ! com
[Download RAW message or body]
Disclosure timeline
===================
February 10th, 2016: discovered 3 issues: memory corruption, authorization
bypass, CSRF.
February 10th, 2016; supplying technical details to Netgear, including POC
code.
February 12th, 2016: Netgear's response - they said that only the Bezeq
firmware is vulneable.
February 13th, 2016: discovering command injection vulnerability, updating
Netgear.
February 14th, 2016: contacted Bezeq.
February 21st, 2016: Bezeq acknowledged.
March 3rd, 2016: Bezeq's firsty hotfix to authorization bypass
vulnerability.
March 20th, 2016: disclosure, assigned DWF-2016-91000.
Technical details
=============
This firmware might reside in Netgear's own firmware as well, but was found
on Bezeq firmware (custom). Issues:
1. HTTP Authorization bypass: by supplying "ess_" in the URL, authorization
is not validated.
2. Command injection: the ping utility allows an attacker to run arbitrary
command via the "system" API, by injecting either a pipe or backticks.
3. CSRF exposure.
4. Possible memory corruption: the basic authorization username is copied
via unsafe strcpy to a global variable.
Blog post and POC code
=====================
http://securitygodmode.blogspot.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic