Hello everyone, as it starts to be redundant for the routers of the Netgear brand we will not go into details but will simply present the results. We will see how it is possible to perform an authentication bypass and a command injection in order to perform a pre-auth RCE on Netgear R6200v2 firmware versions:

  • Version 1.0.1.14
  • Version 1.0.1.16
  • Version 1.0.1.18
  • Version 1.0.1.20

Authentication Bypass

As the title of this paragraph states, in order to access the administrator’s functionality (and obtain a vector allowing us to inject commands) we must first bypass authentication. Spoiler alert, the URL is badly parsed by the binary httpd which use function strstr() to look for the pattern “.gif”.

So here is an example of how I did it:

alt text

alt text

I thought I had discovered it first but it turns out that the vulnerability had already been identified by the Microsoft 365 Defender Research Team on a different router (DGN2200v1) in 2021, so I’m a year late. However the command injection it is not yet a public vulnerability so let’s continue.

Command Injection

As in a previous article, I realized that it was possible to perform a command injection in a PPPoE related feature but not exactly the same because this one is related to IPv6 or so it seems. Only here there is a small difference before realizing our command injection, we have to get a token which is an equivalent to a CSRF token I guess.

alt text

Once this token is obtained, we can then perform our command injection in the parameter $_POST["pppoe_servicename"] from the page /ipv6_pppoe.cgi.

alt text

All stuff put together we are able to chain our two vulnerabilities to perform a pre-auth command injection.

POC

alt text

As you can imagine, this sploit should also works on other router models (since it’s the embeded httpd which is affected) but I didn’t look for all the vulnerable routers and their corresponding firmwares.

Thank you for reading this article.