-
June 4th, 2004, 09:02 PM
#1
Netgear Owners, Heads UP
Just saw this on bugtraq. Netgear owners check it out!
KHAMSIN Security News
KSN Reference: 2004-06-03 0001 TIP
---------------------------------------------------------------------------
Title
-----
The Netgear WG602 Accesspoint contains an undocumented
administrative account.
Date
----
2004-06-03
Description
-----------
The webinterface which is reachable from both interfaces (LAN/WLAN)
contains an undocumented administrative account which cannot be disabled.
Any user logging in with the username "super" and the password "5777364"
is in complete control of the device.
This vulnerability can be exploited by any person which is able to reach
the webinterface of the device with a webbrowser.
A search on Google revealed that "5777364" is actually the phonenumber
of z-com Taiwan which develops and offers WLAN equipment for its OEM
customers.
Currently it is unknown whether other Vendors are shipping products
based on z-com OEM designs.
Systems Affected
----------------
Vulnerable (verified)
WG602 with Firmware Version 1.04.0
Possibly vulnerable (not verified)
WG602 with other Firmware Versions
WG602v2
All other z-com derived WLAN Accesspoints
Proof of concept
----------------
Download the WG602 Version 1.5.67 firmware from Netgear
( http://kbserver.netgear.com/support....asp?dnldID=366 )
and run the following shell commands on a UNIX box:
$ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz
$ zcat rd.img.gz | strings | grep -A5 -B5 5777364
Which results in the following output:
%08lx:%08lx:%s
%08lx%08lx%08lx%08lx
Authorization
BASIC
super <---- Username
5777364 <---- Password
%02x
Content-length
HTTP_USER_AGENT
HTTP_ACCEPT
SERVER_PROTOCOL
Disclaimer
----------
This advisory does not claim to be complete or to be usable for
any purpose. Especially information on the vulnerable systems may
be inaccurate or wrong. Possibly supplied exploit code is not to
be used for malicious purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
http://www.khamsin.ch
---------------------------------------------------------------
KHAMSIN Security GmbH Zuercherstr. 204 / CH-9014 St. Gallen
http://www.khamsin.ch
You shall no longer take things at second or third hand,
nor look through the eyes of the dead...You shall listen to all
sides and filter them for your self.
-Walt Whitman-
-
June 4th, 2004, 09:26 PM
#2
Looks like the home/small office router vendors are on the radar of the security community now...
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
June 4th, 2004, 09:29 PM
#3
Methinks the linksys vulnerability kinds pales into insignificance compared to this one.
Can the netgear disable all access to the WAN configuration like the Linksys claims to?
[Edit]
Hoss: Spammers? As these things become more prevalent they need to find ways through them to get there "bounces" done.....
[/Edit]
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
June 4th, 2004, 10:18 PM
#4
Can the netgear disable all access to the WAN configuration like the Linksys claims to?
No. They don't think it's serious. When they came out with their RP114 routers, it was discovered that you could use the private address scheme on the WAN connection to access the router. They never considered it a serious issue (or so said an internal NetGear type to the SO when I queried about it).
Thankfully, that password seems specific to models. Doesn't work on my RP114. I'll have to try the RP614 to see if it's affected (possibly not since neither of these are wireless).
-
June 4th, 2004, 10:28 PM
#5
well I have an RP614v2 at home and it doesn't seem to work so I'd concur with MsM on this... the WG602 is a wireless one isn't it?
Quis Custodiet Ipsos Custodes
-
June 4th, 2004, 10:45 PM
#6
The creepy thing is that the vendors who produced the parts put the backdoor in there. Just makes me wonder if anything else has a backdoor like this...mainly my stuff.
You shall no longer take things at second or third hand,
nor look through the eyes of the dead...You shall listen to all
sides and filter them for your self.
-Walt Whitman-
-
June 4th, 2004, 10:48 PM
#7
Just makes me wonder if anything else has a backdoor like this...mainly my stuff.
the cynical side of me says yes very likely - probably lots of things that is, at least in theory, one good thing about open source stuff - much more difficult to hide back doors.
Quis Custodiet Ipsos Custodes
-
June 4th, 2004, 11:27 PM
#8
Phew, Doesnt seem to work on my Netgear DG834G. Lets hope it doesnt affect their whole range.
-
June 5th, 2004, 08:03 PM
#9
Well that is the thing about hardware. Specially for hardware that one can't flash the firmware. Then you have a nice solid backdoor that can't be fixed.
You shall no longer take things at second or third hand,
nor look through the eyes of the dead...You shall listen to all
sides and filter them for your self.
-Walt Whitman-
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|