Netgear WNR854T Command Injection Vulnerability with NVRAM Persistence

A command injection vulnerability has been identified in the Netgear WNR854T router, specifically in version 1.5.2 for North America. The issue arises in the HTTP POST request handling, where the 'pppoe_peer_mac' parameter can be manipulated to inject arbitrary commands. This vulnerability is particularly concerning as the injected commands are executed with root privileges and persist across reboots by being stored in NVRAM. Exploitation of this vulnerability could lead to a complete compromise of the router, allowing for interception of network traffic, theft of credentials, and use of the device as a pivot point for further attacks on the network.

Impact

Successful exploitation allows authenticated attackers to execute arbitrary commands with root privileges on the router. The injected commands persist across reboots, as they are stored in NVRAM, leading to a complete compromise of the device.

Reproduction

To reproduce this vulnerability, an authenticated user can log into the router's web interface and navigate to the PPPoE settings. By modifying the 'pppoe_peer_mac' parameter to include injected commands, the exploitation can be achieved. Alternatively, a POST request can be sent to the '/post.cgi' endpoint with the crafted 'pppoe_peer_mac' value. Once the router reboots, the injected commands will execute with root privileges.