CVE-2016-10174
published 2017-01-30CVE-2016-10174: The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
83.45%
99.6th percentile
The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated attacker to achieve remote code execution.
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:established,to_server; http.uri; content:"/lang_check.html"; content:"timestamp="; http.request_body; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; classtype:attempted-admin; sid:2024121; rev:7; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_03_30, cve CVE_2016_10174, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_07; target:dest_ip;)
bytes↗
BadChars: \x00\x25\x26
- →Detect exploit POST requests targeting /apply_noauth.cgi?/lang_check.html with 'submit_flag=select_language' and 'hidden_lang_avi=' in the body; the overflow filler is 36 bytes before the ROP chain. ↗
- →The exploit appends a numeric timestamp (8-digit pattern) to the URI: /apply_noauth.cgi?/lang_check.html%20timestamp=<8digits>. Detect URI containing 'lang_check.html' with 'timestamp=' as a combined indicator. ↗
- →After successful exploitation, the router opens a root shell on TCP port 23 (telnet). Detect unexpected telnet connections to router management IPs as a post-exploitation indicator. ↗
- →Fingerprint vulnerable device via WWW-Authenticate header containing 'WNR2000v5' in HTTP 401 responses from the router's web interface. ↗
- →The ROP gadget at libc offset 0x2462C executes: addiu $a0, $sp, 0x40+arg_0 / move $t9, $s0 / jalr $t9 — memory forensics or crash analysis showing this gadget chain indicates active exploitation. ↗
- ·The libc base address 0x2ab24000 is specific to libuClibc-0.9.30.1.so on WNR2000v5 firmware. Hardware revisions v3/v4 may require different LibcBase, SystemOffset, and GadgetOffset values. ↗
- ·Exploit has been confirmed on WNR2000v5 firmware versions 1.0.0.34 and 1.0.0.18 only; v3/v4 hardware is unconfirmed and may require offset adjustments. ↗
- ·Timestamp brute-forcing (unauthenticated path) can take minutes to days depending on time differential; authenticated exploitation is significantly faster by fetching the timestamp directly from /lang_check.html. ↗
- ·The exploit payload bad characters are \x00, \x25 (%), and \x26 (&) — these must be avoided in any shellcode or ROP chain used against this vulnerability. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2016-10174 [CRITICAL] CWE-119 NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability
Vulnerability: NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability
Affected: NETGEAR WNR2000v5 Router
The NETGEAR WNR2000v5 router contains a buffer overflow which can be exploited to achieve remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2016-10174
Remediation Due Date: 2022-04-15
GHSA
GHSA-rgmj-9q73-5phf: The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply
ghsa_unreviewed·2022-05-17
CVE-2016-10174 [CRITICAL] CWE-119 GHSA-rgmj-9q73-5phf: The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply
The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated attacker to achieve remote code execution.
VulnCheck
NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability
vulncheck·2016·CVSS 9.8
CVE-2016-10174 [CRITICAL] CWE-119 NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability
NETGEAR WNR2000v5 Router Buffer Overflow Vulnerability
The NETGEAR WNR2000v5 router contains a buffer overflow which can be exploited to achieve remote code execution.
Affected: NETGEAR WNR2000v5 Router
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://eclypsium.com/blog/vulnerabilities-in-netgear-firmware-based-iot-devices-in-the-enterprise/; https://www.zscaler.com/resources/industry-reports/threatlabz-mobile-iot-ot-report.pdf
Remediation Due: 2022-04-15
Suricata
ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)
suricata·2017-03-30·CVSS 9.8
CVE-2016-10174 [CRITICAL] ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)
ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT NETGEAR WNR2000v5 hidden_lang_avi Stack Overflow (CVE-2016-10174)"; flow:established,to_server; http.uri; content:"/lang_check.html"; content:"timestamp="; http.request_body; content:"&hidden_lang_avi="; isdataat:36,relative; content:!"|00|"; within:36; content:!"|25|"; within:36; content:!"|26|"; within:36; classtype:attempted-admin; sid:2024121; rev:7; metadata:affected_product Netgear_Router, attack_target Client_Endpoint, created_at 2017_03_30, cve CVE_2016_10174, deployment Perimeter, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_03_07; target:dest_ip;)
Exploit-DB
Netgear WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)
exploitdb·2017-03-24
CVE-2016-10174 Netgear WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)
Netgear WNR2000v5 - 'hidden_lang_avi' Remote Stack Overflow (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'time'
class MetasploitModule 'NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Overflow',
'Description' => %q{
The NETGEAR WNR2000 router has a buffer overflow vulnerability in the hidden_lang_avi
parameter.
In order to exploit it, it is necessary to guess the value of a certain timestamp which
is in the configuration of the router. An authenticated attacker can simply fetch this
from a page, but an unauthenticated attacker has to brute force it.
Bruteforcing the timestamp token might take a few minutes, a few hours, or days, but
it is gua
Exploit-DB
Netgear WNR2000v5 - Remote Code Execution
exploitdb·2016-12-21
CVE-2016-10176 Netgear WNR2000v5 - Remote Code Execution
Netgear WNR2000v5 - Remote Code Execution
---
#
# Remote code execution in NETGEAR WNR2000v5
# - by Pedro Ribeiro ([email protected]) / Agile Information Security
# Released on 20/12/2016
#
# NOTE: this exploit is "alpha" quality and has been deprecated. Please see the modules
# accepted into the Metasploit framework, or https://github.com/pedrib/PoC/tree/master/exploits/metasploit/wnr2000
#
#
# TODO:
# - randomise payload
require 'net/http'
require 'uri'
require 'time'
require 'digest'
require 'openssl'
require 'socket'
####################
# ported from https://git.uclibc.org/uClibc/tree/libc/stdlib/random.c
# and https://git.uclibc.org/uClibc/tree/libc/stdlib/random_r.c
TYPE_3 = 3
BREAK_3 = 128
DEG_3 = 31
SEP_3 = 3
@randtbl =
[
# we omit TYPE_3 from here, not needed
-1726662223, 37
Metasploit
NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Buffer Overflow
metasploit
NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Buffer Overflow
NETGEAR WNR2000v5 (Un)authenticated hidden_lang_avi Stack Buffer Overflow
The NETGEAR WNR2000 router has a stack buffer overflow vulnerability in the hidden_lang_avi parameter. In order to exploit it, it is necessary to guess the value of a certain timestamp which is in the configuration of the router. An authenticated attacker can simply fetch this from a page, but an unauthenticated attacker has to brute force it. Brute forcing the timestamp token might take a few minutes, a few hours, or days, but it is guaranteed that it can be bruteforced. This module implements both modes, and it works very reliably. It has been tested with the WNR2000v5, firmware versions 1.0.0.34 and 1.0.0.18. It should also work with hardware revisions v4 and v3, but this has not been tested - with these routers
No writeups or analysis indexed.
http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerabilityhttp://seclists.org/fulldisclosure/2016/Dec/72http://www.securityfocus.com/bid/95867https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txthttps://www.exploit-db.com/exploits/40949/https://www.exploit-db.com/exploits/41719/http://kb.netgear.com/000036549/Insecure-Remote-Access-and-Command-Execution-Security-Vulnerabilityhttp://seclists.org/fulldisclosure/2016/Dec/72http://www.securityfocus.com/bid/95867https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear-wnr2000.txthttps://www.exploit-db.com/exploits/40949/https://www.exploit-db.com/exploits/41719/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-10174
2017-01-30
Published
2022-03-25
Added to CISA KEV
Exploited in the wild