cbcvebase.
CVE-2017-6334
published 2017-03-06

CVE-2017-6334: dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell…

PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
72.20%
99.4th percentile
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077.

Affected

2 ranges
VendorProductVersion rangeFixed in
netgeardgn2200_firmware<= 10.0.0.50
netgeardgn2200_series_firmware<= 10.0.0.50

Detection & IOCsextracted from sources · hover to see the quote

path/dnslookup.cgi
commandPOST /dnslookup.cgi host_name=www.google.com; <cmd>
urlhttp://<target>/dnslookup.cgi
  • Detect HTTP POST requests to /dnslookup.cgi containing shell metacharacters (e.g., semicolons) in the host_name parameter, which indicates command injection exploitation.
  • Look for POST body pattern: host_name=<legitimate_host>; <injected_command> with lookup=Lookup targeting /dnslookup.cgi.
  • Check for Basic Authentication header combined with POST to /dnslookup.cgi; the Metasploit module base64-encodes credentials and injects payload into host_name field.
  • Fingerprint vulnerable devices by checking WWW-Authenticate header for 'Basic realm="NETGEAR DGN2200v1/v2/v3/v4"' on the root path.
  • Alert on presence of /bin/bd execution on NETGEAR DGN2200 devices; this SUID backdoor binary exists on some firmware versions and can be used for privilege escalation post-exploitation.
  • CVE-2017-6334 is actively exploited in the wild and listed in CISA KEV; prioritize detection on any DGN2200 device still in use, as the product is end-of-life.
  • ·Hardcoded credentials (Gearguy/Geardog and Guest/Guest) are present on SOME firmware versions and can be used in place of admin/password for exploitation.
  • ·The SUID backdoor /bin/bd is only present on some firmware versions, not all; privilege escalation path varies by firmware build.
  • ·All firmware versions from 10.0.0.20 (initial release) through 10.0.0.50 (latest) are affected across DGN2200v1, v2, v3, and v4 hardware revisions.
  • ·CVE-2017-6334 can be chained with the CSRF vulnerability (CVE-2017-6366) to achieve unauthenticated RCE by tricking a logged-in router user into visiting a malicious page.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.