[Full-Disclosure] Netgear WG602 Accesspoint vulnerability

From: Tom Knienieder (knienieder_at_khamsin.ch)
Date: 06/03/04

  • Next message: Perrymon, Josh L.: "[Full-Disclosure] anyone seen this worm/trojan before?"
    To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <newstips@heise.de>, <cert@cert.org>
    Date: Thu, 3 Jun 2004 19:35:22 +0200 (CEST)
    
    

    KHAMSIN Security News
    KSN Reference: 2004-06-03 0001 TIP
    ---------------------------------------------------------------------------

    Title
    -----
            The Netgear WG602 Accesspoint contains an undocumented
            administrative account.

    Date

    ----
            2004-06-03
    Description
    -----------
    The webinterface which is reachable from both interfaces (LAN/WLAN)
    contains an undocumented administrative account which cannot be disabled.
    Any user logging in with the username "super" and the password "5777364"
    is in complete control of the device.
    This vulnerability can be exploited by any person which is able to reach
    the webinterface of the device with a webbrowser.
    A search on Google revealed that "5777364" is actually the phonenumber
    of z-com Taiwan which develops and offers WLAN equipment for its OEM
    customers.
    Currently it is unknown whether other Vendors are shipping products
    based on z-com OEM designs.
    Systems Affected
    ----------------
            Vulnerable (verified)
                    WG602 with Firmware Version 1.04.0
            Possibly vulnerable (not verified)
                    WG602 with other Firmware Versions
                    WG602v2
                    All other z-com derived WLAN Accesspoints
    Proof of concept
    ----------------
            Download the WG602 Version 1.5.67 firmware from Netgear
            ( http://kbserver.netgear.com/support_details.asp?dnldID=366 )
            and run the following shell commands on a UNIX box:
            $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz
            $ zcat rd.img.gz | strings | grep -A5 -B5 5777364
            Which results in the following output:
                    %08lx:%08lx:%s
                    %08lx%08lx%08lx%08lx
                    Authorization
                    BASIC
                    super 			<---- Username
                    5777364 		<---- Password
                    %02x
                    Content-length
                    HTTP_USER_AGENT
                    HTTP_ACCEPT
                    SERVER_PROTOCOL
    Disclaimer
    ----------
            This advisory does not claim to be complete or to be usable for
            any purpose. Especially information on the vulnerable systems may
            be inaccurate or wrong. Possibly supplied exploit code is not to
            be used for malicious purposes, but for educational purposes only.
            This advisory is free for open distribution in unmodified form.
            http://www.khamsin.ch
    ---------------------------------------------------------------
    KHAMSIN Security GmbH     Zuercherstr. 204 / CH-9014 St. Gallen
    http://www.khamsin.ch
    ---------------------------------------------------------------
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Perrymon, Josh L.: "[Full-Disclosure] anyone seen this worm/trojan before?"