In NETGEAR Nighthawk X10-R9000 prior to 1.0.4.26, an attacker may execute arbitrary system commands as root by sending a specially-crafted MAC address to the "NETGEAR Genie" SOAP endpoint at AdvancedQoS:GetCurrentBandwidthByMAC. Although this requires QoS being enabled, advanced QoS being enabled, and a valid authentication JWT, additional vulnerabilities (CVE-2019-12510) allow an attacker to interact with the entire SOAP API without authentication. Additionally, DNS rebinding techniques may be used to exploit this vulnerability remotely. Exploiting this vulnerability is somewhat involved. The following limitations apply to the payload and must be overcome for successful exploitation: - No more than 17 characters may be used. - At least one colon must be included to prevent mangling. - A single-quote and meta-character must be used to break out of the existing command. - Parent command remnants after the injection point must be dealt with. - The payload must be in all-caps. Despite these limitations, it is still possible to gain access to an interactive root shell via this vulnerability. Since the web server assigns certain HTTP headers to environment variables with all-caps names, it is possible to insert a payload into one such header and reference the subsequent environment variable in the injection point.
References
Link | Resource |
---|---|
https://www.ise.io/casestudies/sohopelessly-broken-2-0/ | Exploit Third Party Advisory |
https://www.ise.io/casestudies/sohopelessly-broken-2-0/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 04:23
Type | Values Removed | Values Added |
---|---|---|
References | () https://www.ise.io/casestudies/sohopelessly-broken-2-0/ - Exploit, Third Party Advisory |
Information
Published : 2020-02-24 19:15
Updated : 2024-11-21 04:23
NVD link : CVE-2019-12511
Mitre link : CVE-2019-12511
CVE.ORG link : CVE-2019-12511
JSON object : View
Products Affected
netgear
- nighthawk_x10-r9000
- nighthawk_x10-r9000_firmware
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')