NETGEAR D7000 Authentication Bypass

We discussed this vulnerability during Episode 81 on 13 September 2021

Authentication bypass by including a magic string in the URL. The string isn’t exactly magic, rather it seems like this page (setcup.cgi) has a single file that needs to be access without authentication. So in an adhoc check, the application just looks for a string that is unique to that request line and turns off authentication. The problem being that it doesn’t check any of the context around that string.

If todo=PNPX_GetShareFolderList is present anywhere in the request line then authentication will be turned off. This can be used to disclose files such as:

  • NETGEAR_D7000.cfg which contains the device configuration including a hashed admin password
  • BRS_swisscom_success.html which contains the plaintext admin password

Once the admin password has been disclosed then an attacker can authenticate with the device and enable Telnet for RCE.