C100110: Netgear R6200v2, Remote Code Execution (pre-auth)
Hello everyone, as it starts to be redundant for the routers of the Netgear brand we will not go into details but will simply present the results. We will see how it is possible to perform an authentication bypass and a command injection in order to perform a pre-auth RCE on Netgear R6200v2 firmware versions:
- Version 1.0.1.14
- Version 1.0.1.16
- Version 1.0.1.18
- Version 1.0.1.20
Authentication Bypass
As the title of this paragraph states, in order to access the administrator’s
functionality (and obtain a vector allowing us to inject commands) we must first
bypass authentication. Spoiler alert, the URL is badly parsed by the binary
httpd
which use function strstr()
to look for the pattern “.gif”.
So here is an example of how I did it:
I thought I had discovered it first but it turns out that the vulnerability had already been identified by the Microsoft 365 Defender Research Team on a different router (DGN2200v1) in 2021, so I’m a year late. However the command injection it is not yet a public vulnerability so let’s continue.
Command Injection
As in a previous article, I realized that it was possible to perform a command injection in a PPPoE related feature but not exactly the same because this one is related to IPv6 or so it seems. Only here there is a small difference before realizing our command injection, we have to get a token which is an equivalent to a CSRF token I guess.
Once this token is obtained, we can then perform our command injection in the
parameter $_POST["pppoe_servicename"]
from the page /ipv6_pppoe.cgi.
All stuff put together we are able to chain our two vulnerabilities to perform a pre-auth command injection.
POC
As you can imagine, this sploit should also works on other router models
(since it’s the embeded httpd
which is affected) but I didn’t look for all the
vulnerable routers and their corresponding firmwares.
Thank you for reading this article.