Netgear DGN2200B OS Command Injection Vulnerability in PPPoE Configuration

A command injection vulnerability has been identified in the Netgear DGN2200B router, affecting firmware versions through 1.0.0.36. This vulnerability allows authenticated users to inject and execute arbitrary operating system commands via the pppoe_username parameter in the pppoe.cgi endpoint. Exploitation of this flaw could lead to complete compromise of the device, with the potential for persistent access across reboots, unless the configuration is manually restored.

Impact

Successful exploitation allows authenticated users to execute arbitrary commands on the router's operating system. This could be used to upload and execute a backdoor, compromising the device.

Reproduction

To reproduce this vulnerability, log into the router's web interface using default credentials (admin/admin or admin/password). Navigate to the PPPoE configuration page and send a POST request to the pppoe.cgi endpoint. Include a payload in the pppoe_username parameter that exploits the command injection vulnerability, such as a ping command directed at a controlled IP address. After the command is executed, the original PPPoE configuration will be overwritten, so it is recommended to back up the configuration before exploitation.