NETGEAR D7000 Authentication Bypass
Original Post:
We discussed this vulnerability during Episode 81 on 13 September 2021
Authentication bypass by including a magic string in the URL. The string isn’t exactly magic, rather it seems like this page (setcup.cgi) has a single file that needs to be access without authentication. So in an adhoc check, the application just looks for a string that is unique to that request line and turns off authentication. The problem being that it doesn’t check any of the context around that string.
If todo=PNPX_GetShareFolderList
is present anywhere in the request line then authentication will be turned off. This can be used to disclose files such as:
NETGEAR_D7000.cfg
which contains the device configuration including a hashed admin passwordBRS_swisscom_success.html
which contains the plaintext admin password
Once the admin password has been disclosed then an attacker can authenticate with the device and enable Telnet for RCE.