CVE-2019-5054

An unauthenticated attacker sends an HTTP request to a page that requires authentication (e.g., `/UPG_upgrade.htm`) with an empty `User-Agent` header [ref_id=1]. The HTTP daemon populates the `http_request` structure, but because the `User-Agent` header is empty, `req->user_agent` remains unpopulated (NULL) [ref_id=1]. When `send_authenticate()` calls `strcat(curBrowser, req->user_agent)`, the NULL pointer dereference causes a segmentation fault, crashing the HTTP service [ref_id=1]. The attack is performed over the network with no authentication required [CWE-476].

The vulnerability resides in the `send_authenticate()` function of the NETGEAR N300 (WNR2000v5) HTTP server. The function retrieves `req->user_agent` from the `http_request` structure at address `0x4cabb0` and passes it directly to `strcat()` without a NULL check [ref_id=1]. The crash occurs at the `strcat()` call when `$a1` (the user_agent pointer) is NULL, as shown in the annotated disassembly at `0x4097f8`–`0x409804` [ref_id=1].

The advisory does not include a patch or vendor fix details [ref_id=1]. The remediation guidance is implicit: the HTTP server should validate that `req->user_agent` is not NULL before passing it to `strcat()` in `send_authenticate()` [ref_id=1]. A NULL check on the `user_agent` pointer before the concatenation operation would prevent the null pointer dereference and resulting denial of service [CWE-476].

Send a single curl command with an empty User-Agent header to an authenticated page on the target router: `$ curl -H 'User-Agent:' http://192.168.1.1/UPG_upgrade.htm` [ref_id=1]. This triggers the NULL pointer dereference in `send_authenticate()`, causing the HTTP service to crash [ref_id=1].