Netgear WNR854T Command Injection Vulnerability Allowing Persistent Arbitrary Command Execution

A command injection vulnerability has been identified in the Netgear WNR854T router, specifically in version 1.5.2 for North America. This vulnerability allows authenticated attackers to execute arbitrary commands with root privileges. The injected commands persist across reboots, as they are stored in the router's NVRAM. Exploitation involves sending a crafted request to the post.cgi endpoint, manipulating the wan_hostname parameter to inject commands that are executed during the router's initialization process.

Impact

Successful exploitation of this vulnerability leads to unauthorized command execution with root privileges on the affected device. The injected commands are executed during the router's startup process, allowing for persistent changes to the device's configuration or the establishment of backdoors for future access.

Reproduction

To reproduce this vulnerability, authenticate to the router's web interface and navigate to the section that allows modification of the WAN hostname. Inject a command into the wan_hostname parameter by appending it to the hostname value, using a semicolon to terminate the original command context and a hash symbol to comment out any trailing portions of the command. Once the router is rebooted, the injected command will execute with root privileges. Alternatively, send a POST request to the /post.cgi endpoint with the crafted wan_hostname parameter to achieve the same effect.