0x00 Vulnerability description
There are authentication bypass vulnerabilities in the web interface of some models of netgear devices. When the requested url ends with ".jpg", it will be recognized as an image without authentication. An attacker can send a request to bypass authentication.
http://target/*.htm?x=1.jpg or http://target/*.cgi?A=a&B=b&...&x=1.jpg
The version difference is expressed as: Some models are only valid for cgi pages, not valid for htm pages; or only valid for Get mode, invalid for Post mode; and it is difficult to find pages that are included in all models, constructing a generic PoC.
0x01 Exp usage example
Exp that does not disclose exploits temporarily.
0x02 Affected version
MBR1515 MBR1516 DGN2200 DGN2200M DGND3700 WNR2000v2 WNDR3300 WNDR3400 WNR3500 WNR834Bv2
0x03 PoC verification
The corresponding target version can be found using the dork syntax of fofa.
But when you visit
/start.htm?x=1.jpg, you can see the corresponding page, but the reason for the authorization is because we are using this vulnerability to bypass the authorization of start.htm, the rest to be loaded. The page is still in an unauthorized state. So, if you add
?x=1.jpg after each request, then all the interfaces can be displayed.
The remaining versions of the vulnerability verification are the same as above.
Thanks to the partners who discovered the vulnerability together：