CVE-2013-2751
published 2013-12-12CVE-2013-2751: Eval injection vulnerability in frontview/lib/np_handler.pl in the FrontView web interface in NETGEAR ReadyNAS RAIDiator before 4.1.12 and 4.2.x before 4.2.24…
PriorityP180critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
71.60%
99.3th percentile
Eval injection vulnerability in frontview/lib/np_handler.pl in the FrontView web interface in NETGEAR ReadyNAS RAIDiator before 4.1.12 and 4.2.x before 4.2.24 allows remote attackers to execute arbitrary Perl code via a crafted request, related to the "forgot password workflow."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | raidiator | >= 4.1 < 4.1.12 | 4.1.12 |
| netgear | raidiator | >= 4.2 < 4.2.24 | 4.2.24 |
Detection & IOCsextracted from sources · hover to see the quote
command#{rand_text_numeric(1)});use MIME::Base64;system(decode_base64("#{Rex::Text.encode_base64(payload.encoded)}")↗
- →Detect exploit check probe: HTTP GET to /np_handler with SECTION=) returns HTTP 200 with body matching 'syntax error at (eval' ↗
- →Monitor HTTPS GET requests to /np_handler endpoint with a SECTION parameter containing Perl injection patterns such as closing parenthesis, semicolons, or Base64-encoded payloads ↗
- →Flag HTTP responses from ReadyNAS FrontView containing 'syntax error at (eval' as indicative of active exploitation probing ↗
- →The exploit uses MIME::Base64 and system() within the injected SECTION parameter to execute OS commands; look for these strings URL-encoded in GET requests to /np_handler ↗
- ·Exploit requires SSL (HTTPS on port 443); plain HTTP traffic to port 80 will not carry this attack in default Metasploit configuration ↗
- ·Module was tested only on an emulated firmware environment (4.2.23), not confirmed on real hardware; detection coverage on physical devices may vary ↗
- ·Payload space is capped at 4096 bytes accounting for Apache request length and Base64 encoding ratio; payloads exceeding this limit will not be delivered ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Netgear ReadyNAS - Perl Code Evaluation (Metasploit)
exploitdb·2013-11-25
CVE-2013-2751 Netgear ReadyNAS - Perl Code Evaluation (Metasploit)
Netgear ReadyNAS - Perl Code Evaluation (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'NETGEAR ReadyNAS Perl Code Evaluation',
'Description' => %q{
This module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The
vulnerability exists on the web fronted, specifically on the np_handler.pl component,
due to the insecure usage of the eval() perl function. This module has been tested
successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment, not on real
hardware.
},
'Author' =>
[
'Craig Young', # Vulnerability discovery
'hdm', # diff the patch
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'Referen
Metasploit
NETGEAR ReadyNAS Perl Code Evaluation
metasploit
NETGEAR ReadyNAS Perl Code Evaluation
NETGEAR ReadyNAS Perl Code Evaluation
This module exploits a Perl code injection on NETGEAR ReadyNAS 4.2.23 and 4.1.11. The vulnerability exists on the web front end, specifically in the np_handler.pl component, due to an insecure usage of the eval() perl function. This module has been tested successfully on a NETGEAR ReadyNAS 4.2.23 Firmware emulated environment.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/123726/Netgear-ReadyNAS-Complete-System-Takeover.htmlhttp://www.exploit-db.com/exploits/29815http://www.osvdb.org/98826http://www.readynas.com/?p=7002http://www.tripwire.com/register/security-advisory-netgear-readynas/http://www.tripwire.com/state-of-security/vulnerability-management/readynas-flaw-allows-root-access-unauthenticated-http-request/http://packetstormsecurity.com/files/123726/Netgear-ReadyNAS-Complete-System-Takeover.htmlhttp://www.exploit-db.com/exploits/29815http://www.osvdb.org/98826http://www.readynas.com/?p=7002http://www.tripwire.com/register/security-advisory-netgear-readynas/http://www.tripwire.com/state-of-security/vulnerability-management/readynas-flaw-allows-root-access-unauthenticated-http-request/
2013-12-12
Published