CVE-2016-7941 – XSS in Netgear ProSAFE switches

A few years ago, one of our researchers discovered a unauthenticated stored XSS vulnerability in the Netgear ProSAFE Gigabit Smart Managed Switches. Although this was quite some time ago, we still felt that it was worth to do a write up about it.

The vulnerability

At a security training, the instructor took her personal Netgear GS108T switch from home, and asked us to dive into it. She was curious how safe this ProSAFE device was. This led to the discovery of a new vulnerability.

The Netgear devices have a two interfaces, which allows administrators to modify the settings of the device. This can be done in the web interface, but also with SNMP. The latter is by default not protected, although it’s possible to configure it.

XSS is always a concern in web interfaces, so Netgear did some effort to filter bad input in the web interface. However, they didn’t do output encoding, only input validation, which is only present in the web interface. Any value that is modified with SNMP is therefore an opening for XSS. Since not all parameters were accessible or usable via SNMP, the only system variables that can be accessed and modified and will result in a XSS were system name, system location, and system contact.

Exploiting via SNMP

In the web interface, the value is placed in a text box. To break out of this, we use the following payload: hi" onclick=alert("xss") x=".
First, we enumerate the injection points. For this we use SNMPWALK (our target is at 192.168.1.30):
snmpwalk -mALL -v2c -c public 192.168.1.30. With this we find out that the key iso.3.6.1.2.1.1.5.0 is related to the system name. With that information we can change it using snmpset: snmpset -v 2c -c private 192.168.1.30 iso.3.6.1.2.1.1.5.0 s 'hi" onclick=alert("xss") x="'

Now, log in to the Netgear web interface (in this case http://192.168.1.30). Click on the system name field (it has the value “hi”). You will see an alert box saying “xss”.

Affected devices and response

After discovery, we contacted Netgear about the issue. Upfront, we registered a CVE number for this issue (CVE-2016-7941). After 2 weeks, we received an initial response with the request to fill in an Excel document. After submitting that, we got a confirmation that the document was received and that they will reach out to us soon. Then it went silent…

After a few months, we decided to Google for the CVE. In the meantime, Netgear patched the issue, and created a Security Advisory for it. In this advisory we learned that the following devices were affected:

  • GS724Tv3 and GS716Tv2 with firmware version 5.4.2.25 or earlier
  • GS510TP with firmware version 5.4.2.25 or earlier
  • GS108Tv2 and GS110TP with firmware version 5.4.2.25 or earlier
  • GS748Tv4 with firmware version 5.4.2.25 or earlier

Until this day, we wait for a response from Netgear. In the meantime, we installed the new firmware, recommended by the advisory.

What is Server-side request forgery (SSRF)?Server-side request forgery (SSRF)CyberAnt.comEntity injectionEntity injection