cbcvebase.
CVE-2016-10174
published 2017-01-30

CVE-2016-10174: The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
83.45%
99.6th percentile
The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated attacker to achieve remote code execution.

Detection & IOCsextracted from sources · hover to see the quote

url/apply.cgi?/lang_check.html
path/lang_check.html
commandkillall telnetenable; killall utelnetd; /usr/sbin/utelnetd -d -l /bin/sh
path/BRS_netgear_success.html
path/apply_noauth.cgi?/unauth.cgi
path/passwordrecovered.cgi
snort
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:established,to_server; http.uri; content:"/lang_check.html"; content:"timestamp="; http.request_body; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; classtype:attempted-admin; sid:2024121; rev:7; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_03_30, cve CVE_2016_10174, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_07; target:dest_ip;)
bytes
BadChars: \x00\x25\x26
  • Detect exploit POST requests targeting /apply_noauth.cgi?/lang_check.html with 'submit_flag=select_language' and 'hidden_lang_avi=' in the body; the overflow filler is 36 bytes before the ROP chain.
  • The exploit appends a numeric timestamp (8-digit pattern) to the URI: /apply_noauth.cgi?/lang_check.html%20timestamp=<8digits>. Detect URI containing 'lang_check.html' with 'timestamp=' as a combined indicator.
  • After successful exploitation, the router opens a root shell on TCP port 23 (telnet). Detect unexpected telnet connections to router management IPs as a post-exploitation indicator.
  • Fingerprint vulnerable device via WWW-Authenticate header containing 'WNR2000v5' in HTTP 401 responses from the router's web interface.
  • The ROP gadget at libc offset 0x2462C executes: addiu $a0, $sp, 0x40+arg_0 / move $t9, $s0 / jalr $t9 — memory forensics or crash analysis showing this gadget chain indicates active exploitation.
  • ·The libc base address 0x2ab24000 is specific to libuClibc-0.9.30.1.so on WNR2000v5 firmware. Hardware revisions v3/v4 may require different LibcBase, SystemOffset, and GadgetOffset values.
  • ·Exploit has been confirmed on WNR2000v5 firmware versions 1.0.0.34 and 1.0.0.18 only; v3/v4 hardware is unconfirmed and may require offset adjustments.
  • ·Timestamp brute-forcing (unauthenticated path) can take minutes to days depending on time differential; authenticated exploitation is significantly faster by fetching the timestamp directly from /lang_check.html.
  • ·The exploit payload bad characters are \x00, \x25 (%), and \x26 (&) — these must be avoided in any shellcode or ROP chain used against this vulnerability.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.