× Cookies are disabled! This site requires cookies to be enabled to work properly
################################################################################

METADATA DETAILS

Title:
    ACSA-2015-001
    CVE-2016-1555 - Command injection independently discovered by Chen et. al. Original CVE-2016-1555 enumerates only a part of the whole set of affected products.

Timeline:
    03 Nov 2014 - [Researcher] discovery
    02 Dec 2015 - [Researcher] sends vendor notification at security@netgear.com, public disclosure set for 28 Dec 2015
    10 Dec 2015 - [Researcher] sends vendor notification at security@netgear.com with all the details an PoC, public disclosure set for 28 Dec 2015
    16 Dec 2015 - [Vendor] replies requesting "a standard 90-days grace period before public disclosure" and to fill "NETGEAR Product Vulnerability Reporting Submission Form.xlsx"
    17 Dec 2015 - [Researcher] replies with filled "ACSA-2015-001 - NETGEAR Product Vulnerability Reporting Submission Form.xlsx", agrees to 90-days grace period, asks vendor to created CVE numbers and notify/acknowledge the researcher
    12 Jan 2016 - [Researcher] follows-up with the vendor on the status and CVE numbers
    04 Mar 2016 - [Researcher] reminds about 90-days grace period and public disclosure 31 Mar 2016
    17 Mar 2016 - Expires 90-days grace period
    31 Mar 2016 - [Researcher] proceeds to public disclosure

Author:
    Andrei Costin, "FIRMWARE.RE" project
    andrei@firmware.re
    Vulnerability discovered using "FIRMWARE.RE" platform/service

0. Vulnerability:

a) pre-auth Remote Command Execution/Injection (RCE/RCI), effectively gaining root (webserver user) on the device
a*) "web non-admin" authenticated user Remote Command Execution/Injection (RCE/RCI), effectively gaining root (webserver user) on the device
b) pre-auth Cross-Site Scripting (XSS)
b*) "web non-admin" authenticated user Cross-Site Scripting (XSS)

1. NetGear products

WG102
WG103

*WN604
*WNDAP350
*WNDAP360
*WNAP320
*WNAP210
*WNDAP660
*WNDAP620

**WNDAP380R
**WNDAP380R(v2)
**WN370
**WND930

All these products for the bulk of their firmware versions are prone
to "pre-auth command injection via vulnerable web interface module".

Product WG103 is affected by "pre-auth command injection via
vulnerable web interface module" in *ALL* its current firmware versions, 
and has no known fix. 

Products with (*) have fixes in the last 1-2 version(s), but the fix
does not remove the core issue. The last 1-2 version(s) are prone to
"web non-admin authenticated user Remote Command Execution/Injection" and the issue can be
triggered with any "web non-admin" authenticated user. The "web admin"
and "web non-admin" authenticated users can be exploited with 
XSS (in the same module(s) as the one affected by the RCE) to
gain access to their cookie/session and then trigger the "command
injection". The firmware prior to the last 1-2 version(s) are prone to the 
original "pre-auth command injection via vulnerable web interface module" 
where no web user account is required to trigger the RCE and the XSS in 
the affected module(s).

Products with (**) are most likely affected too, but I could not verify them yet.


1.1 Is it for Home / Business / Service Provider, is it a Router, Wifi, Camera, Storage, etc

Mainly Business/Pro devices of Router class.


2. What are the requirements to attack the affected products?

Being able to ping the affected device and open it's web interface
(192.168.1.1 or 192.168.1.254)
Being connected to the Ethernet or WiFi medium of the product, i.e.:
 - if WiFi requires WLAN authentication must first WLAN-authenticate;
 - if WiFi is open or Ethernet LAN is accessible, then there are no
other requirements then to be able to access the device web interface
(192.168.0.1 or 192.168.1.254)


2.1 Since WWW/WAN is also exposed, does it mean that any device of this sort you can find using Shodan on the Internet can be attacked?

Yes.
https://www.shodan.io/search?query=title%3A%22Netgear%22+PHP


2.2 Does it need to be configured in some way?

No.


2.3 Is the default (factory reset) version of the product affected?

Yes, as far as I have analyzed.


2.4 Is there a configuration change that can make the product unaffected? (turning off UPnP for example?)

No.

Products with (*) have fixes in the last 1-2 version(s), but the fix
does not remove the core issue. The last 1-2 version(s) are prone to
"web non-admin authenticated user Remote Command Execution/Injection" and the issue can be
triggered with any "web non-admin" authenticated user. The web admin and
"web non-admin" users can be exploited with XSS to gain access to their
cookie/session.


3. Regarding the "Pre Auth OS Command Injection" what are the requirements?

 - Being able to ping the affected device and open it's web interface
(192.168.1.1 or 192.168.1.254)


3.1 What commands can be injected?

Any.


3.2 Can parameters to this command be provided?

Yes.

3.3 Is there any restrictions on the command line "characters", for example you can only provide alpha numeric characters?

No restrictions as far as I have tested and analyzed.

################################################################################

TECHNICAL DETAILS

The mentioned products ship with a set of vulnerable PHP scripts, namely:
boardDataWW.php
boardDataNA.php
boardDataJP.php
boardData102.php
boardData103.php

The "boardData102.php" and "boardData103.php" are mainly shipped in WG103.
The other files ship with the other products in the list, and the file 
"boardDataJP.php" is present only in the latest versions though.

These scripts take a vulnerable input in the "macAddress" GET field and 
use it without sanitization.

***

a) In one case, these scripts use the "macAddress" input to prepopulate an 
input field, which results in XSS.

b) At the same time, these scripts use the "macAddress" to write some 
manufacturer data to the board, via an insecure call to PHP's "exec()" without 
properly sanitizing the input:

exec("wr_mfg_data -m ".$_REQUEST['macAddress']." -c ".$_REQUEST['reginfo'],$dummy,$res);

which results in RCE. 

***

Normally, the access to the vulnerable PHP scripts listed above is UNAUTHENTICATED. 
The latest versions of firmware for products marked with (*) introduced 
the "session_check()" call to check for authenticated users.
However, they did not fix the root cause of these vulnerabilities, namely 
sanitizatio of "macAddress" and "reginfo" parameters. 

The PHP's "echo" and "exec" are still called with UNSANITIZED inputs. 
This can be abused by users without administrative privileges on the 
web-interface (non-admin users) to execute code on the affected devices. 
Also, the XSS vulnerability can be used on authenticated users of the device 
to steal their session token and then execute code via the RCE vulnerability.

################################################################################

POC DETAILS

http://NETGEAR-DEVICE-IP/boardDataNA.php?writeData=true®info=0&macAddress=%20001122334455%20-c%200%20;cp%20/etc/passwd%20/tmp/cmdinjfirm-file-touch;%20echo%20#
http://NETGEAR-DEVICE-IP/boardDataNA.php?macAddress=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

################################################################################

WG103
    Latest FW version: 2.0.37

    pre-auth RCE

    Kernel-space:
        Linux "2.6.23-WG103_V2.0.37 mod_unload R4X00 32BIT"

    User-space:
        BusyBox 1.11.0 2011-07-05 10:46:01 IST
        
        /bin
addgroup  busybox  chgrp  cp    delgroup  echo   fgrep   gunzip    ip    login  mknod   mount       nice   pipe_progress  pwd    sed    stat  tar    umount  vi
adduser   cat      chmod  date  df        egrep  getopt  gzip      kill  ls     mktemp  mountpoint  pidof  printenv       rm     sh     su    touch  uname   watch
ash       catv     chown  dd    dmesg     false  grep    hostname  ln    mkdir  more    mv          ping   ps             rmdir  sleep  sync  true   usleep  zcat

        /usr/bin
[         bddatard  clear     diff             du          flash_erase  fuser    ipcs      less     mkfifo     passwd    renice  setsid   sys_reset  tftp  unix2dos  which        xargs
[[        bunzip2   cmp       dirname          dumpleases  fold         head     killall   logger   nmeter     pgrep     reset   sha1sum  tail       time  uptime    who          yes
ar        bzcat     crontab   dos2unix         env         free         hexdump  killall5  logname  nohup      printf    resize  sort     tee        top   watchdog  whoami
awk       bzip2     cut       dropbearconvert  expr        ftpget       id       last      md5sum   od         printmd   scp     ssh      telnet     tty   wc        wifidog
basename  cksum     dbclient  dropbearkey      find        ftpput       ipcrm    length    mesg     panel_led  readlink  seq     strings  test       uniq  wget      wr_mfg_data

        /sbin
arp          halt      ifrename  insmod    iwlist  lighttpd         lsmod       poweroff  route              sulogin      syslogd
freeramdisk  ifconfig  ifup      iwconfig  iwpriv  logread          modprobe    reboot    runlevel           switch_root  udhcpc
getty        ifdown    init      iwevent   klogd   losetup          pivot_root  rmmod     start-stop-daemon  sysctl       vconfig

        /usr/local/bin
80211debug                  destroy_secondary_ip  firmware-upgrade-file                        ntpclient-wrapper      set_timezone.sh   timezone          wpa_supplicant
assign_static_ip            dhcp                  firmware-upgrade-ftp     hostapd_tr          password               snmp              TZ.sh             
athdebug                    dns                   firmware-upgrade-stage2  http_redirect_tr    php                    ssh               udhcpc_wrapper
awddebug                    dumpregs              firmware-upgrade-tftp    nmbd_tr             restart-nmbd           support-debug.sh  urlValidate.php
bridge_and_vlan_translator  ethtool_tr            firmware-upgrade-wget    ntp                 restart-wifidog        syslog            verify-config.sh
date.sh                     firmware-error-check  hostapd                  ntpclient           restore-configuration  telnet            wlanconfig


################################################################################

WN604
    Latest FW version: 3.3.2

    "web non-admin" user RCE

    Kernel-space:
        Linux "2.6.15--LSDK-7.3.0.387-WN604_V3.3.2 MIPS32_R2 32BIT gcc-3.4"

    User-space:
        BusyBox v1.11.0 (2015-06-26 14:38:15 IST)    
        
        /bin
ash      cat    chown  date  dmesg  egrep  fgrep   grep    hostname  kill  login  md     mknod  more   mv    pidof  ps   rm     sed  sleep  sync  touch  umount  vi
busybox  chmod  cp     dd    echo   false  getopt  gunzip  ip        ln    ls     mkdir  mm     mount  nice  ping   pwd  rmdir  sh   su     tar   true   uname   zcat

        /usr/bin
[       awk       bunzip2  crontab  dos2unix  find         fold    ftpput  id       logger   mkfifo     passwd  printmd       seq      tail    test  top       uptime    wget   wr_mfg_data
[[      basename  bzcat    cut      env       flashcp      free    fuser   killall  logname  nohup      pgrep   readlink      sort     tee     tftp  tty       watchdog  which  xargs
arping  bddatard  cksum    dirname  expr      flash_erase  ftpget  head    length   md5sum   panel_led  printf  reset_detect  strings  telnet  time  unix2dos  wc        who    yes

        /sbin
arp    halt      ifrename  insmod    iwevent  iwpriv  lighttpd  lsmod       poweroff  rmmod  start-stop-daemon  syslogd  vconfig
getty  ifconfig  init      iwconfig  iwlist   klogd   logread   pivot_root  reboot    route  switch_root        udhcpc

        /usr/local/bin
80211debug                  date.sh               exr.sh                   hostapd_cli         password               sc_radio         update_hostapd              wpa_and_wpa2_psk
art.sh                      db_enc                firmware-error-check                         php                    set_radio_cron   update_rfStatus             wpa_supplicant
assign_static_ip            destroy_secondary_ip  firmware-upgrade-file    hostapd_tr                                 set_timezone.sh  update_wps_configured       
athdebug                    dhcp                  firmware-upgrade-stage2  nmbd_tr             reset_hostapd.sh       syslog           urlValidate.php
awddebug                    dns                   firmware-upgrade-tftp    ntp                 restart-nmbd           timezone         validate-config-version.sh
bridge_and_vlan_translator  dumpregs              firmware-upgrade-wget    ntpclient           restart-wifidog        TZ.sh            verify-config.sh
client_bridge_tr            dxr.sh                hostapd                  ntpclient-wrapper   restore-configuration  udhcpc_wrapper   wlanconfig

################################################################################

WNDAP350
    Latest FW version: 3.0.0.7

    "web non-admin" user RCE

    Kernel-space:
        Linux "2.6.23-WNDAP350_V3.0.0.7 mod_unload MIPS32_R2 32BIT"

    User-space:
        BusyBox v1.11.0 (2015-06-18 21:22:24 IST)
        
        /bin
addgroup  busybox  chgrp  cp    delgroup  echo   fgrep   gunzip    ip    login  mkdir   mm     mountpoint  pidof          printenv  rm     sh     su    touch   uname   watch
adduser   cat      chmod  date  df        egrep  getopt  gzip      kill  ls     mknod   more   mv          ping           ps        rmdir  sleep  sync  true    usleep  zcat
ash       catv     chown  dd    dmesg     false  grep    hostname  ln    md     mktemp  mount  nice        pipe_progress  pwd       sed    stat   tar   umount  vi

        /usr/bin
[         blink_gpio      cmp       dos2unix         find                        fold         hexdump   length   nandwrite  pgrep         reset_detect   sha1sum  telnet  unix2dos  whoami
[[        bringdown_vaps  crontab   dropbearconvert  firmware_upgrade_led_blink  free         id        less     nmeter     printf        resize         sort     test    uptime    wifidog
ar        bunzip2         curl      dropbearkey      flashcp                     ftpget       ipcrm     logger   nohup      printmd       scp            ssh      tftp    watchdog  wr_mfg_data
arping    bzcat           cut       du               flash_erase                 ftpput       ipcs      logname  od         readlink      seq            strings  time    wc        xargs
awk       bzip2           dbclient  dumpleases       flash_eraseall              fuser        killall   md5sum   openssl    renice        set_ipv6_addr  tac      top     wget      yes
basename  cksum           diff      env              flash_lock                  fw_printenv  killall5  mesg     panel_led  reset         set_manuinfo   tail     tty     which
bddatard  clear           dirname   expr             flash_unlock                head         last      mkfifo   passwd     reset_button  setsid         tee      uniq    who

        /sbin
arp          getty  ifconfig  ifrename  init    iwconfig  iwlist  klogd     logread  lsmod     pivot_root  reboot  route     start-stop-daemon  switch_root  syslogd  vconfig
freeramdisk  halt   ifdown    ifup      insmod  iwevent   iwpriv  lighttpd  losetup  modprobe  poweroff    rmmod   runlevel  sulogin            sysctl       udhcpc

        /usr/local/bin
80211debug                  date.sh               dxr.sh                   hostapd_tr         ntpdate             qos_setdb_x            snmp              upmigration.sh
art.sh                      db_enc                exr.sh                   http_redirect_tr   ntpdate-wrapper     radartool              ssh               urlValidate.php
assign_static_ip            destroy_secondary_ip  firmware-error-check     led_amber          pal.netgear         reset_hostapd.sh       support-debug.sh  validate-config-version.sh
assign_static_ipv6          dhcp                  firmware-upgrade-file    led_green          pal_translator      restart-nmbd           syslog            verify-config.sh
athdebug                    dibbler-client.sh     firmware-upgrade-stage2  led_off            password            restart-wifidog        sysmonitor.sh     versions.sh
awddebug                    dibbler-server.sh     firmware-upgrade-tftp    migration.sh       php                 restore-configuration  telnet            wlanconfig
bridge_and_vlan_translator  dns                   firmware-upgrade-wget    nmbd_tr            pktCapture          sc_radio               timezone          wpa_supplicant
capture_app                 dump_config_logs_tr   hostapd                  ntp                prnt_wlan_buffs.sh  set_radio_cron         TZ.sh             
config_palcfg               dumpregs                                       ntpclient-wrapper  qos_delete_qdiscs   set_timezone.sh        udhcpc_wrapper

################################################################################

WNDAP360
    Latest FW version: 3.0.0.7

    "web non-admin" user RCE

    Kernel-space:
        Linux "2.6.23-WNDAP360_V3.0.0.7 mod_unload MIPS32_R2 32BIT"

    User-space:
        BusyBox v1.11.0 (2015-06-18 21:19:26 IST)

        /bin
addgroup  busybox  chgrp  cp    delgroup  echo   fgrep   gunzip    ip    login  mkdir   mm     mountpoint  pidof          printenv  rm     sh     su    touch   uname   watch
adduser   cat      chmod  date  df        egrep  getopt  gzip      kill  ls     mknod   more   mv          ping           ps        rmdir  sleep  sync  true    usleep  zcat
ash       catv     chown  dd    dmesg     false  grep    hostname  ln    md     mktemp  mount  nice        pipe_progress  pwd       sed    stat   tar   umount  vi

        /usr/bin
[               bunzip2  cut              dumpleases                  flash_lock    head      length     nmeter     printmd       seq            tac     tty       who
[[              bzcat    dbclient         env                         flash_unlock  hexdump   less       nohup      readlink      set_ipv6_addr  tail    uniq      whoami
ar              bzip2    diff             expr                        fold          id        logger     od         renice        set_manuinfo   tee     unix2dos  wifidog
awk             cksum    dirname          find                        free          ipcrm     logname    openssl    reset         setsid         telnet  uptime    wr_mfg_data
basename        clear    dos2unix         firmware_upgrade_led_blink  ftpget        ipcs      md5sum     panel_led  reset_button  sha1sum        test    watchdog  xargs
bddatard        cmp      dropbearconvert  flashcp                     ftpput        killall   mesg       passwd     reset_detect  sort           tftp    wc        yes
blink_gpio      crontab  dropbearkey      flash_erase                 fuser         killall5  mkfifo     pgrep      resize        ssh            time    wget
bringdown_vaps  curl     du               flash_eraseall              fw_printenv   last      nandwrite  printf     scp           strings        top     which

        /sbin
arp          getty  ifconfig  ifrename  init    iwconfig  iwlist  klogd     logread  lsmod     pivot_root  reboot  route     start-stop-daemon  switch_root  syslogd  vconfig
freeramdisk  halt   ifdown    ifup      insmod  iwevent   iwpriv  lighttpd  losetup  modprobe  poweroff    rmmod   runlevel  sulogin            sysctl       udhcpc

        /usr/local/bin
80211debug                  date.sh               dxr.sh                                       ntpclient-wrapper   qos_delete_qdiscs      set_timezone.sh   udhcpc_wrapper
art.sh                      db_enc                exr.sh                   hostapd_tr          ntpdate             qos_setdb_x            snmp              upmigration.sh
assign_static_ip            destroy_secondary_ip  firmware-error-check     http_redirect_tr    ntpdate-wrapper     radartool              ssh               urlValidate.php
assign_static_ipv6          dhcp                  firmware-upgrade-file    led_amber           pal.netgear         reset_hostapd.sh       support-debug.sh  validate-config-version.sh
athdebug                    dibbler-client.sh     firmware-upgrade-ftp     led_green           pal_translator      restart-nmbd           syslog            verify-config.sh
awddebug                    dibbler-server.sh     firmware-upgrade-stage2  led_off             password            restart-wifidog        sysmonitor.sh     versions.sh
bridge_and_vlan_translator  dns                   firmware-upgrade-tftp    migration.sh        php                 restore-configuration  telnet            wlanconfig
capture_app                 dump_config_logs_tr   firmware-upgrade-wget    nmbd_tr             pktCapture          sc_radio               timezone          wpa_supplicant
config_palcfg               dumpregs              hostapd                  ntp                 prnt_wlan_buffs.sh  set_radio_cron         TZ.sh             

################################################################################

WNAP320
    Latest FW version: 3.0.0.7

    "web non-admin" user RCE

    Kernel-space:
        Linux "2.6.23-WNAP320_V3.0.0.7 mod_unload MIPS32_R2 32BIT"

    User-space:
        BusyBox v1.11.0 (2015-06-18 21:25:40 IST)

        /bin
addgroup  busybox             catv   chown  dd        dmesg  false   grep    hostname  ln     mkdir   more        mv     ping           ps   rmdir  sleep  sync   true    usleep  zcat
adduser                       chgrp  cp     delgroup  echo   fgrep   gunzip  ip        login  mknod   mount       nice   pipe_progress  pwd  sed    stat   tar    umount  vi
ash       cat                 chmod  date   df        egrep  getopt  gzip    kill      ls     mktemp  mountpoint  pidof  printenv       rm   sh     su     touch  uname   watch


        /usr/bin
[         blink_gpio      cmp       dos2unix         find                        fold         hexdump   length   nandwrite  pgrep         reset_detect   sha1sum  telnet  unix2dos  whoami
[[        bringdown_vaps  crontab   dropbearconvert  firmware_upgrade_led_blink  free         id        less     nmeter     printf        resize         sort     test    uptime    wifidog
ar        bunzip2         curl      dropbearkey      flashcp                     ftpget       ipcrm     logger   nohup      printmd       scp            ssh      tftp    watchdog  wr_mfg_data
arping    bzcat           cut       du               flash_erase                 ftpput       ipcs      logname  od         readlink      seq            strings  time    wc        xargs
awk       bzip2           dbclient  dumpleases       flash_eraseall              fuser        killall   md5sum   openssl    renice        set_ipv6_addr  tac      top     wget      yes
basename  cksum           diff      env              flash_lock                  fw_printenv  killall5  mesg     panel_led  reset         set_manuinfo   tail     tty     which
bddatard  clear           dirname   expr             flash_unlock                head         last      mkfifo   passwd     reset_button  setsid         tee      uniq    who


        /sbin
arp          getty  ifconfig  ifrename  init    iwconfig  iwlist  klogd     logread  lsmod     pivot_root  reboot  route     start-stop-daemon  switch_root  syslogd  vconfig
freeramdisk  halt   ifdown    ifup      insmod  iwevent   iwpriv  lighttpd  losetup  modprobe  poweroff    rmmod   runlevel  sulogin            sysctl       udhcpc

        /usr/local/bin
80211debug                  date.sh               exr.sh                   http_redirect_tr   pal.netgear         restart-nmbd           sysmonitor.sh               wlanconfig
art.sh                      db_enc                firmware-error-check     led_amber          pal_translator      restart-wifidog        telnet                      wpa_supplicant
assign_static_ip            destroy_secondary_ip  firmware-upgrade-file    led_green          password            restore-configuration  timezone                    
assign_static_ipv6          dhcp                  firmware-upgrade-ftp     led_off            php                 sc_radio               TZ.sh
athdebug                    dibbler-client.sh     firmware-upgrade-stage2  migration.sh       pktCapture          set_radio_cron         udhcpc_wrapper
awddebug                    dibbler-server.sh     firmware-upgrade-tftp    nmbd_tr            prnt_wlan_buffs.sh  set_timezone.sh        upmigration.sh
bridge_and_vlan_translator  dns                   firmware-upgrade-wget    ntp                qos_delete_qdiscs   snmp                   urlValidate.php
capture_app                 dump_config_logs_tr   hostapd                  ntpclient-wrapper  qos_setdb_x         ssh                    validate-config-version.sh
client_bridge_tr            dumpregs                                       ntpdate            radartool           support-debug.sh       verify-config.sh
config_palcfg               dxr.sh                hostapd_tr               ntpdate-wrapper    reset_hostapd.sh    syslog                 versions.sh

################################################################################

WNAP210
    Latest FW version: 3.0.0.7

    "web non-admin" user RCE

    Kernel-space:
        Linux "2.6.23-WNAP210_V3.0.0.7 mod_unload MIPS32_R2 32BIT"

    User-space:
        BusyBox v1.11.0 (2015-06-18 21:34:15 IST)

        /bin
addgroup  busybox  chgrp  cp    delgroup  echo   fgrep   gunzip    ip    login  mkdir   mm     mountpoint  pidof          printenv  rm     sh     su    touch   uname   watch
adduser   cat      chmod  date  df        egrep  getopt  gzip      kill  ls     mknod   more   mv          ping           ps        rmdir  sleep  sync  true    usleep  zcat
ash       catv     chown  dd    dmesg     false  grep    hostname  ln    md     mktemp  mount  nice        pipe_progress  pwd       sed    stat   tar   umount  vi

        /usr/bin
[         blink_gpio      cmp       dos2unix         find                        fold         hexdump   led-op   mkfifo     pgrep         reset_detect   sha1sum  telnet  unix2dos  whoami
[[        bringdown_vaps  crontab   dropbearconvert  firmware_upgrade_led_blink  free         id        length   nandwrite  printf        resize         sort     test    uptime    wifidog
ar        bunzip2         curl      dropbearkey      flashcp                     ftpget       ipcrm     less     nmeter     printmd       scp            ssh      tftp    watchdog  wr_mfg_data
arping    bzcat           cut       du               flash_erase                 ftpput       ipcs      logger   nohup      readlink      seq            strings  time    wc        xargs
awk       bzip2           dbclient  dumpleases       flash_eraseall              fuser        killall   logname  od         renice        set_ipv6_addr  tac      top     wget      yes
basename  cksum           diff      env              flash_lock                  fw_printenv  killall5  md5sum   openssl    reset         set_manuinfo   tail     tty     which
bddatard  clear           dirname   expr             flash_unlock                head         last      mesg     passwd     reset_button  setsid         tee      uniq    who

        /sbin
arp          getty  ifconfig  ifrename  init    iwconfig  iwlist  klogd     logread  lsmod     pivot_root  reboot  route     start-stop-daemon  switch_root  syslogd  vconfig
freeramdisk  halt   ifdown    ifup      insmod  iwevent   iwpriv  lighttpd  losetup  modprobe  poweroff    rmmod   runlevel  sulogin            sysctl       udhcpc

        /usr/local/bin
80211debug                  date.sh               dxr.sh                   hostapd_tr         ntpdate             reset_hostapd.sh       support-debug.sh  validate-config-version.sh
art.sh                      db_enc                exr.sh                   http_redirect_tr   ntpdate-wrapper     restart-nmbd           syslog            verify-config.sh
assign_static_ip            destroy_secondary_ip  firmware-error-check     led_amber          pal.netgear         restart-wifidog        sysmonitor.sh     versions.sh
assign_static_ipv6          dhcp                  firmware-upgrade-file    led_green          pal_translator      restore-configuration  telnet            wlanconfig
athdebug                    dibbler-client.sh     firmware-upgrade-stage2  led_off            password            sc_radio               timezone          wpa_supplicant
awddebug                    dibbler-server.sh     firmware-upgrade-tftp    migration.sh       php                 set_radio_cron         TZ.sh             
bridge_and_vlan_translator  dns                   firmware-upgrade-wget    nmbd_tr            prnt_wlan_buffs.sh  set_timezone.sh        udhcpc_wrapper
client_bridge_tr            dump_config_logs_tr   hostapd                  ntp                qos_delete_qdiscs   snmp                   upmigration.sh
config_palcfg               dumpregs                                       ntpclient-wrapper  qos_setdb_x         ssh                    urlValidate.php

################################################################################

WNDAP620
    Latest FW version: 2.0.8

    "web non-admin" user RCE

    Kernel-space:
        Linux "2.6.36.2-wndap660_620-WNDAP620_V2.0.8 mod_unload PowerPC/cisco4500 32BIT MSB"

    User-space:

        /bin
addgroup  busybox  chgrp  cp    delgroup  echo   fgrep   gunzip    ip    login  mknod   mount       nice   ping6          ps   rmdir  sleep  sync   true    usleep  zcat
adduser   cat      chmod  date  df        egrep  getopt  gzip      kill  ls     mktemp  mountpoint  pidof  pipe_progress  pwd  sed    stat   tar    umount  vi
ash       catv     chown  dd    dmesg     false  grep    hostname  ln    mkdir  more    mv          ping   printenv       rm   sh     su     touch  uname   watch

        /usr/bin
[               bunzip2   dbclient         expr                        free         ipcs      mesg                                    readlink       setsid   test      wget
[[              bzcat     diff             find                        ftpget       killall   mkfifo                                  renice         sha1sum  tftp      which
ar              bzip2     dirname          firmware_upgrade_led_blink  ftpput       killall5  nandwrite                               reset          sort     time      who
arping          cksum     dos2unix         flashcp                     fuser        last      nmeter                                  reset_button   ssh      top       whoami
awk             clear     dropbearconvert  flash_erase                 fw_printenv  length    nohup                                   resize         strings  tty       wifidog
basename        cmp       dropbearkey      flash_eraseall              head         less      od                  passwd              scp            tac      uniq      wr_mfg_data
bddatard        c_rehash  du               flash_lock                  hexdump      logger    openssl             pgrep               seq            tail     unix2dos  xargs
blink_gpio      crontab   dumpleases       flash_unlock                id           logname                       printf              set_ipv6_addr  tee      uptime    yes
bringdown_vaps  cut       env              fold                        ipcrm        md5sum                        printmd             set_manuinfo   telnet   wc

        /sbin
arp          halt      ifrename             init      iwevent  klogd                                     lldpd    lsmod       poweroff  route              sulogin      syslogd
freeramdisk  ifconfig  ifrename-compress-1  insmod    iwlist   lighttpd                                  logread  modprobe    reboot    runlevel           switch_root  udhcpc
getty        ifdown    ifup                 iwconfig  iwpriv                        lldpctl              losetup  pivot_root  rmmod     start-stop-daemon  sysctl       vconfig


        /usr/local/bin
assign_static_ip                 dibbler-client.sh                exr.sh                                                                                            set_radio_cron
assign_static_ipv6               dibbler-relay                    firmware-error-check     libelf.def                                                               set_timezone.sh
bridge_and_vlan_translator                                        firmware-upgrade-file    libelf.h                                          pktCapture             snmp
capture_app                      dibbler_relay-DHCPRelay.o        firmware-upgrade-ftp     libelf.so                                         poe_test               ssh
date.sh                          dibbler_relay-dibbler-relay.o    firmware-upgrade-stage2  libelf.so.0                  migration.sh         prnt_wlan_buffs.sh     syslog
db_enc                           dibbler-requestor                firmware-upgrade-tftp    libelf.so.0.8.13             nmbd_tr              qos_delete_qdiscs      tc
destroy_secondary_ip             dibbler_requestor-Requestor.o    firmware-upgrade-wget                                 ntp                  qos_setdb_x            telnet
dhcp                             dibbler-server                   hostapd_tr                                            ntpclient            qos_translator         timezone
dibbler-client                                                    http_redirect_tr                                      ntpclient-wrapper    radvd                  TZ.sh
                                 dibbler_server-DHCPServer.o      ipsd                                                  ntpdate              reset_hostapd.sh       udhcpc_wrapper
                                 dibbler_server-dibbler-server.o  led_amber                                             ntpdate-wrapper      restart-nmbd           urlValidate.php
                                 dibbler-server.sh                led_green                                             password             restart-wifidog        validate-config-version.sh
dibbler_client-DHCPClient.o      dns                              led_off                  mailsend                     php                  restore-configuration  verify-config.sh
dibbler_client-dibbler-client.o  dxr.sh                           libelf.a                                                                   sc_radio

################################################################################

WNDAP660
    Latest FW version: 2.0.5

    "web non-admin" user RCE

    Kernel-space:
        Linux "2.6.36.2-wndap660_620-WNDAP660_V2.0.5 mod_unload PowerPC/cisco4500 32BIT MSB"

    User-space:
        BusyBox v1.11.0 (2015-05-11 20:42:48 IST)

        /bin
addgroup  busybox             catv   chown  dd        dmesg  false   grep    hostname  ln     md     mktemp  mount       nice   ping6          ps   rmdir  sleep  sync   true    usleep  zcat
adduser                       chgrp  cp     delgroup  echo   fgrep   gunzip  ip        login  mkdir  mm      mountpoint  pidof  pipe_progress  pwd  sed    stat   tar    umount  vi
ash       cat                 chmod  date   df        egrep  getopt  gzip    kill      ls     mknod  more    mv          ping   printenv       rm   sh     su     touch  uname   watch

        /usr/bin
[               bunzip2   dbclient         expr                        free         ipcs      mesg                                    readlink       setsid   test      wget
[[              bzcat     diff             find                        ftpget       killall   mkfifo                                  renice         sha1sum  tftp      which
ar              bzip2     dirname          firmware_upgrade_led_blink  ftpput       killall5  nandwrite                               reset          sort     time      who
arping          cksum     dos2unix         flashcp                     fuser        last      nmeter                                  reset_button   ssh      top       whoami
awk             clear     dropbearconvert  flash_erase                 fw_printenv  length    nohup                                   resize         strings  tty       wifidog
basename        cmp       dropbearkey      flash_eraseall              head         less      od                  passwd              scp            tac      uniq      wr_mfg_data
bddatard        c_rehash  du               flash_lock                  hexdump      logger    openssl             pgrep               seq            tail     unix2dos  xargs
blink_gpio      crontab   dumpleases       flash_unlock                id           logname                       printf              set_ipv6_addr  tee      uptime    yes
bringdown_vaps  cut       env              fold                        ipcrm        md5sum                        printmd             set_manuinfo   telnet   wc

        /sbin
arp          halt      ifrename             init      iwevent  klogd                                     lldpd    lsmod       poweroff  route              sulogin      syslogd
freeramdisk  ifconfig                       insmod    iwlist   lighttpd                                  logread  modprobe    reboot    runlevel           switch_root  udhcpc
getty        ifdown    ifup                 iwconfig  iwpriv                        lldpctl              losetup  pivot_root  rmmod     start-stop-daemon  sysctl       vconfig

        /usr/local/bin
assign_static_ip             dibbler_client-dibbler-client.o  dxr.sh                   libelf.a                                                                 sc_radio
assign_static_ipv6           dibbler-client.sh                exr.sh                                                                                            set_radio_cron
bridge_and_vlan_translator   dibbler-relay                    firmware-error-check     libelf.def                                                               set_timezone.sh
capture_app                                                   firmware-upgrade-file    libelf.h                                          pktCapture             snmp
config-chainmask.sh          dibbler_relay-DHCPRelay.o        firmware-upgrade-ftp     libelf.so                                         poe_test               ssh
date.sh                      dibbler_relay-dibbler-relay.o    firmware-upgrade-stage2  libelf.so.0                  migration.sh         prnt_wlan_buffs.sh     syslog
db_enc                       dibbler-requestor                firmware-upgrade-tftp    libelf.so.0.8.13             nmbd_tr              qos_delete_qdiscs      tc
destroy_secondary_ip         dibbler_requestor-Requestor.o    firmware-upgrade-wget                                 ntp                  qos_setdb_x            telnet
dhcp                         dibbler-server                   hostapd_tr                                            ntpclient            qos_translator         timezone
dibbler-client                                                http_redirect_tr                                      ntpclient-wrapper    radvd                  TZ.sh
                             dibbler_server-DHCPServer.o      ipsd                                                  ntpdate              reset_hostapd.sh       udhcpc_wrapper
                             dibbler_server-dibbler-server.o  led_amber                                             ntpdate-wrapper      restart-nmbd           urlValidate.php
                             dibbler-server.sh                led_green                                             password             restart-wifidog        validate-config-version.sh
dibbler_client-DHCPClient.o  dns                              led_off                  mailsend                     php                  restore-configuration  verify-config.sh