[<prev] [next>] [day] [month] [year] [list]
Message-ID: <AANLkTik_Se2W_gOZ+PJfR=P+7upajhjfS8A79X1NQq4n@mail.gmail.com>
Date: Thu, 14 Oct 2010 13:12:34 +0200
From: Alejandro Alvarez <alex.a.bravo@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Netgear CG3000/CG3100 bugs
Product: Netgear CG3100D Residential Gateway
Vendor: http://www.netgear.com
Discovered: August 30, 2010
Disclosed: October 14, 2010
I. DESCRIPTION
The Netgear CG3100D Residential Gateway with firmware version 5.5.2 (and
probably other CG3000/CG3100 models with the same firmware) has several bugs
that would allow remote auth, privilege escalation and denegation of
service.
II. DETAILS
HTTP server allows privilege escalation.
The web server listening on port 80 and 443 on the router does not control
access to files, it simply sets a menu according to which user login has
been made. Thus, a user with lesser permissions, admin, could load the menu
of the user with more privileges, NETGEAR_SE simply accessing
http://192.168.1.1/__SeContents.html
The reverse can also be done, the user admin can access NETGEAR_SE menus by
accesing http://192.168.1.1/contentsres.asp
SSH server allows user authentication bypass with no password (NETGEAR_SE
and MSO).
The SSH server that incorporates the router allows the introduction of blank
passwords to users NETGEAR_SE and MSO. This behavior does not occur with
users superuser and admin of the router.
Because of this failure, both users can access with their password and a
blank password. Changing password does not resolve this issue.
Print server triggers reset on the router.
The router print server listening on port 1024 and 9100 causes an
involuntary reset on the router when you open a connection but no job is
sent. This bug can be reproduced by opening a telnet to 192.168.1.1:9100 and
keeping the connection open. After a few seconds, the watchdog process
trigger a reset.
III. VENDOR RESPONSE
2010/08/30 - Notified to vendor (security@...gear.com) - no response
received.
2010/09/30 - Notified again - no response received.
--
--
Alejandro Alvarez Bravo
alex.a.bravo@...il.com
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists