Netgear Wireless Router WNR500 Parameter Traversal Arbitrary File Access Exploit

Title: Netgear Wireless Router WNR500 Parameter Traversal Arbitrary File Access Exploit
Advisory ID: ZSL-2014-5208
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (3/5)
Release Date: 21.11.2014
Summary
The NETGEAR compact N150 classic wireless router (WNR500) improves your legacy Wireless-G network. It is a simple, secure way to share your Internet connection and allows you to easily surf the Internet, use email, and have online chats. The quick, CD-less setup can be done through a web browser. The small, efficient design fits perfectly into your home.
Description
The router suffers from an authenticated file inclusion vulnerability (LFI) when input passed thru the 'getpage' parameter to 'webproc' script is not properly verified before being used to include files. This can be exploited to include files from local resources with directory traversal attacks.
Vendor
NETGEAR - http://www.netgear.com
Affected Version
WNR500 (firmware: 1.0.7.2)
Tested On
mini_httpd/1.19 19dec2003
Vendor Status
N/A
PoC
netgearwnr500_lfi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://cxsecurity.com/issue/WLB-2014110148
[2] http://packetstormsecurity.com/files/129223
[3] http://www.exploit-db.com/exploits/35325/
[4] http://www.securityfocus.com/bid/70050
[5] http://osvdb.org/show/osvdb/114967
Changelog
[21.11.2014] - Initial release
[22.11.2014] - Added reference [1], [2] and [3]
[24.11.2014] - Added reference [4]
[25.11.2014] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk