CVE-2017-6334
published 2017-03-06CVE-2017-6334: dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell…
PriorityP190high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
72.20%
99.4th percentile
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgear | dgn2200_firmware | <= 10.0.0.50 | — |
| netgear | dgn2200_series_firmware | <= 10.0.0.50 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP POST requests to /dnslookup.cgi containing shell metacharacters (e.g., semicolons) in the host_name parameter, which indicates command injection exploitation. ↗
- →Look for POST body pattern: host_name=<legitimate_host>; <injected_command> with lookup=Lookup targeting /dnslookup.cgi. ↗
- →Check for Basic Authentication header combined with POST to /dnslookup.cgi; the Metasploit module base64-encodes credentials and injects payload into host_name field. ↗
- →Fingerprint vulnerable devices by checking WWW-Authenticate header for 'Basic realm="NETGEAR DGN2200v1/v2/v3/v4"' on the root path. ↗
- →Alert on presence of /bin/bd execution on NETGEAR DGN2200 devices; this SUID backdoor binary exists on some firmware versions and can be used for privilege escalation post-exploitation. ↗
- →CVE-2017-6334 is actively exploited in the wild and listed in CISA KEV; prioritize detection on any DGN2200 device still in use, as the product is end-of-life. ↗
- ·Hardcoded credentials (Gearguy/Geardog and Guest/Guest) are present on SOME firmware versions and can be used in place of admin/password for exploitation. ↗
- ·The SUID backdoor /bin/bd is only present on some firmware versions, not all; privilege escalation path varies by firmware build. ↗
- ·All firmware versions from 10.0.0.20 (initial release) through 10.0.0.50 (latest) are affected across DGN2200v1, v2, v3, and v4 hardware revisions. ↗
- ·CVE-2017-6334 can be chained with the CSRF vulnerability (CVE-2017-6366) to achieve unauthenticated RCE by tricking a logged-in router user into visiting a malicious page. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
NETGEAR DGN2200 Devices OS Command Injection Vulnerability
cisa·2022-03-25·CVSS 8.8
CVE-2017-6334 [HIGH] CWE-78 NETGEAR DGN2200 Devices OS Command Injection Vulnerability
Vulnerability: NETGEAR DGN2200 Devices OS Command Injection Vulnerability
Affected: NETGEAR DGN2200 Devices
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-6334
Remediation Due Date: 2022-04-15
GHSA
GHSA-f99c-gfmc-7mwv: Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10
ghsa_unreviewed·2022-05-17·CVSS 8.8
CVE-2017-6366 [HIGH] CWE-352 GHSA-f99c-gfmc-7mwv: Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10
Cross-site request forgery (CSRF) vulnerability in NETGEAR DGN2200 routers with firmware 10.0.0.20 through 10.0.0.50 allows remote attackers to hijack the authentication of users for requests that perform DNS lookups via the host_name parameter to dnslookup.cgi. NOTE: this issue can be combined with CVE-2017-6334 to execute arbitrary code remotely.
GHSA
GHSA-fmcr-2q62-c3m5: dnslookup
ghsa_unreviewed·2022-05-13·CVSS 9.8
CVE-2017-6334 [CRITICAL] CWE-78 GHSA-fmcr-2q62-c3m5: dnslookup
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the host_name field of an HTTP POST request, a different vulnerability than CVE-2017-6077.
VulnCheck
NETGEAR DGN2200 Devices OS Command Injection Vulnerability
vulncheck·2017·CVSS 8.8
CVE-2017-6334 [HIGH] CWE-78 NETGEAR DGN2200 Devices OS Command Injection Vulnerability
NETGEAR DGN2200 Devices OS Command Injection Vulnerability
dnslookup.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands
Affected: NETGEAR DGN2200 Devices
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Exploitation References: https://web.archive.org/web/20200319160240/https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/; https://cybersecurity.att.com/blogs/labs-research/att-alien-labs-finds-new-golang-malwarebotenago-targeting-millions-of-routers-and-iot-devices-with-more-than-30-exploits; https://cybersecurity.att.com/blogs/labs-research/botenago-strike-again-malware-source-code-uploaded-to-github; https:
Suricata
ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)
suricata·2019-03-18·CVSS 8.8
CVE-2017-6334 [HIGH] ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)
ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Netgear DGN2200 RCE (CVE-2017-6334)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/dnslookup.cgi"; startswith; endswith; http.header; content:"DIAG_diag.htm|0d 0a|"; fast_pattern; http.request_body; content:"host_name="; startswith; content:"|3b|"; distance:0; reference:url,www.exploit-db.com/exploits/41394; reference:cve,2017-6334; classtype:attempted-user; sid:2027094; rev:4; metadata:attack_target IoT, created_at 2019_03_18, cve CVE_2017_6334, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_04_13;)
Exploit-DB
Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)
exploitdb·2017-06-26
CVE-2017-6334 Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)
Netgear DGN2200 - 'dnslookup.cgi' Command Injection (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'net/http'
require "base64"
class MetasploitModule "Netgear DGN2200 dnslookup.cgi Command Injection",
'Description' => %q{
This module exploits a command injection vulnerablity in NETGEAR
DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request
with valid login details.
},
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Author' => [
'thecarterb', # Metasploit Module
'SivertPL' # Vuln discovery
],
'DefaultTarget' => 0,
'Privileged' => true,
'Arch' => [ARCH_CMD],
'Targets' => [
[ 'NETGEAR DDGN2200 Router', { } ]
],
'References' =>
[
[ 'EDB', '41459'],
[ 'CVE', '2
Exploit-DB
Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery
exploitdb·2017-02-28·CVSS 9.8
CVE-2017-6334 [CRITICAL] Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery
Netgear DGN2200v1/v2/v3/v4 - Cross-Site Request Forgery
---
# Exploit Title: NETGEAR Firmware DGN2200v1/v2/v3/v4 CSRF which leads to RCE through CVE-2017-6334
# Date: 2017-02-28
# Exploit Author: SivertPL
# Vendor Homepage: http://netgear.com/
# Software Link: http://www.downloads.netgear.com/files/GDC/DGN2200/DGN2200%20Firmware%20Version%201.0.0.20%20-%20Initial%20Release%20(NA).zip
# Version: 10.0.0.20 (initial) - 10.0.0.50 (latest, still 0-day!)
# Tested on: DGN2200v1,v2,v3,v4
# CVE: CVE-2017-6366
A quite dangerous CSRF was discovered on all DGN2200 firmwares.
When chained with either CVE-2017-6077 or CVE-2017-6334, allows for unauthenticated (sic!) RCE after tricking somebody logged in to the router to view a website.
netgear router CSRF
Would You Dare To?
Exploit-DB
Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution
exploitdb·2017-02-25
CVE-2017-6334 Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution
Netgear DGN2200v1/v2/v3/v4 - 'dnslookup.cgi' Remote Command Execution
---
#!/usr/bin/python
#Provides access to default user account, privileges can be easily elevated by using either:
# - a kernel exploit (ex. memodipper was tested and it worked)
# - by executing /bin/bd (suid backdoor present on SOME but not all versions)
# - by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon)
#Pozdrawiam: Kornela, Komara i Sknerusa
import sys
import requests
#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to
login = 'admin'
password = 'password'
Metasploit
Netgear DGN2200 dnslookup.cgi Command Injection
metasploit
Netgear DGN2200 dnslookup.cgi Command Injection
Netgear DGN2200 dnslookup.cgi Command Injection
This module exploits a command injection vulnerablity in NETGEAR DGN2200v1/v2/v3/v4 routers by sending a specially crafted post request with valid login details.
http://www.securityfocus.com/bid/96463https://www.exploit-db.com/exploits/41459/https://www.exploit-db.com/exploits/41472/https://www.exploit-db.com/exploits/42257/http://www.securityfocus.com/bid/96463https://www.exploit-db.com/exploits/41459/https://www.exploit-db.com/exploits/41472/https://www.exploit-db.com/exploits/42257/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-6334
2017-03-06
Published
2022-03-25
Added to CISA KEV
Exploited in the wild