Netgear WNR854T Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the Netgear WNR854T router, specifically in version 1.5.2 for North America. This vulnerability allows authenticated attackers to execute arbitrary commands with root privileges by manipulating the 'get_email' parameter through the 'post.cgi' endpoint. The injected commands are executed via the 'send_log.cgi' endpoint, taking advantage of improper input validation when the 'email_address' parameter is processed. Notably, the exploitation of this vulnerability can lead to persistent command execution, as the injected commands are stored in NVRAM and remain effective across device reboots.

Impact

Exploitation of this vulnerability allows for authenticated command injection with root privileges, leading to arbitrary command execution on the device. The injected commands persist across reboots, providing a permanent backdoor until manually removed.

Reproduction

To reproduce this vulnerability, authenticate to the router's web interface and navigate to the 'email notification' settings page. Once there, inject a command into the 'email_address' field using backticks to execute arbitrary commands. After setting the email notification to be sent immediately, trigger the '/send_log.cgi' endpoint to execute the injected command.