[Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability

From: Lupe Christoph (lupe_at_lupe-christoph.de)
Date: 06/04/04

  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities"
    To: z3rosix@my-mail.ch
    Date: Fri, 4 Jun 2004 00:03:13 +0200
    
    

    On Thursday, 2004-06-03 at 19:35:22 +0200, Tom Knienieder wrote:

    > Possibly vulnerable (not verified)
    > WG602 with other Firmware Versions
    > WG602v2

    The WG602v2 uses different firmware.

    > Download the WG602 Version 1.5.67 firmware from Netgear
    > ( http://kbserver.netgear.com/support_details.asp?dnldID=366 )
    WG602v2 Firmware Version 2.0RC5:
    http://kbserver.netgear.com/support_details.asp?dnldID=504

    WG602v2 Repeater Firmware Version 3.2 RC6
    http://kbserver.netgear.com/support_details.asp?dnldID=692

    > and run the following shell commands on a UNIX box:

    > $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz
    > $ zcat rd.img.gz | strings | grep -A5 -B5 5777364

    2.0RC5
    dd if=apfirmware_2.0rc5.img bs=1 skip=111596 of=rd.img.bz2

    3.2 RC6
    unzip wg602_v2_apfirmware_3.2rc6.zip
    dd if=apfirmware_3.2rc6.img bs=1 skip=112620 of=rd.img.bz2

    In both cases this:
      bzcat rd.img.bz2 | strings | egrep 'Authorization|BASIC|super|5777364'
    Returns some garbage, but nothing similar to your output. Also logging
    in with super/5777364 does not work with my unit (unknown firmware
    release - I forgot the password and have to reset the unit. But it's
    getting a little late here.)

    HTH,
    Lupe Christoph

    -- 
    | lupe@lupe-christoph.de       |           http://www.lupe-christoph.de/ |
    | "... putting a mail server on the Internet without filtering is like   |
    | covering yourself with barbecue sauce and breaking into the Charity    |
    | Home for Badgers with Rabies.                            Michael Lucas |
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities"

    Relevant Pages

    • Re: Authentication on both sides
      ... >> Garbage will be read out if you try to read firmware. ... > Then it is impossible to verify that the correct firmware is burned into ... You actually described it quite well, and I have given a number of attacks ...
      (sci.crypt)
    • [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability
      ... The WG602v2 uses different firmware. ... WG602v2 Repeater Firmware Version 3.2 RC6 ... unzip wg602_v2_apfirmware_3.2rc6.zip ... Returns some garbage, but nothing similar to your output. ...
      (Full-Disclosure)
    • Re: Netgear WG602 Accesspoint vulnerability
      ... The WG602v2 uses different firmware. ... WG602v2 Repeater Firmware Version 3.2 RC6 ... unzip wg602_v2_apfirmware_3.2rc6.zip ... Returns some garbage, but nothing similar to your output. ...
      (Bugtraq)
    • Re: Netgear WG602 Accesspoint vulnerability
      ... The WG602v2 uses different firmware. ... WG602v2 Repeater Firmware Version 3.2 RC6 ... unzip wg602_v2_apfirmware_3.2rc6.zip ... Returns some garbage, but nothing similar to your output. ...
      (Full-Disclosure)
    • how to config new firmware file written by dos?
      ... qwest.net in .zip file which I unzip it to contain ... [root@localhost recover]# cat ver.txt ... /* the old firmware is 1.60.10.0.50 of that dsl modem, ...
      (comp.os.linux.setup)