lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTik_Se2W_gOZ+PJfR=P+7upajhjfS8A79X1NQq4n@mail.gmail.com>
Date: Thu, 14 Oct 2010 13:12:34 +0200
From: Alejandro Alvarez <alex.a.bravo@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Netgear CG3000/CG3100 bugs

Product: Netgear CG3100D Residential Gateway

Vendor: http://www.netgear.com

Discovered: August 30, 2010

Disclosed: October 14, 2010



I. DESCRIPTION


The Netgear  CG3100D Residential Gateway with firmware version 5.5.2 (and
probably other CG3000/CG3100 models with the same firmware) has several bugs
that would allow remote auth, privilege escalation and denegation of
service.


II. DETAILS


HTTP server allows privilege escalation.

The web server listening on port 80 and 443 on the router does not control
access to files, it simply sets a menu according to which user login has
been made. Thus, a user with lesser permissions, admin, could load the menu
of the user with more privileges, NETGEAR_SE simply accessing
http://192.168.1.1/__SeContents.html

The reverse can also be done, the user admin can access NETGEAR_SE menus by
accesing http://192.168.1.1/contentsres.asp


SSH server allows user authentication bypass with no password (NETGEAR_SE
and MSO).

The SSH server that incorporates the router allows the introduction of blank
passwords to users NETGEAR_SE and MSO. This behavior does not occur with
users superuser and admin of the router.

Because of this failure, both users can access with their password and a
blank password. Changing password does not resolve this issue.


Print server triggers reset on the router.

The router print server listening on port 1024 and 9100 causes an
involuntary reset on the router when you open a connection but no job is
sent. This bug can be reproduced by opening a telnet to 192.168.1.1:9100 and
keeping the connection open. After a few seconds, the watchdog process
trigger a reset.

III. VENDOR RESPONSE

2010/08/30 - Notified to vendor (security@...gear.com) - no response
received.
2010/09/30 - Notified again - no response received.


-- 
--
Alejandro Alvarez Bravo
alex.a.bravo@...il.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ