Netgear DGNv2200 multiple vulnerabilities (Bezeq firmware)

[0x3d5157636b525761 iddqd <0x3d5157636b525761 () gmail com>]

Disclosure timeline
===================
February 10th, 2016: discovered 3 issues: memory corruption, authorization
bypass, CSRF.
February 10th, 2016; supplying technical details to Netgear, including POC
code.
February 12th, 2016: Netgear's response - they said that only the Bezeq
firmware is vulneable.
February 13th, 2016: discovering command injection vulnerability, updating
Netgear.
February 14th, 2016: contacted Bezeq.
February 21st, 2016: Bezeq acknowledged.
March 3rd, 2016: Bezeq's firsty hotfix to authorization bypass
vulnerability.
March 20th, 2016: disclosure, assigned DWF-2016-91000.

Technical details
=============
This firmware might reside in Netgear's own firmware as well, but was found
on Bezeq firmware (custom). Issues:
1. HTTP Authorization bypass: by supplying "ess_" in the URL, authorization
is not validated.
2. Command injection: the ping utility allows an attacker to run arbitrary
command via the "system" API, by injecting either a pipe or backticks.
3. CSRF exposure.
4. Possible memory corruption: the basic authorization username is copied
via unsafe strcpy to a global variable.

Blog post and POC code
=====================
http://securitygodmode.blogspot.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/