External access to Netgear RP114 "firewall"

From: auto353237@hushmail.com
Date: 06/17/02

From: auto353237@hushmail.com
To: bugtraq@securityfocus.com
Date: Mon, 17 Jun 2002 05:13:36 -0700

The NetGear Web Safe Router RP114 with current firmware (3.26) is vulnerable in its default configuration.

The router acts as a DHCP server for LAN clients and as a DHCP client on the external side. The IP address is meant for local access, as DHCP server, DNS proxy, default gateway and administrative access with telnet and http.

Unfortunately the device answers on address on the external side as well. This means that attackers in your neighbourhood can set their IP address to 192.168.0.x and they will have full access to your router with default username "admin" and default password "1234", using either telnet or http. They can configure the router's port forwarding to allow access to any computer on the inside that they wish to attack. If you can see your neighbours broadcast traffic such as ARP requests then they are close enough to attack you.

In certain locations your security is even worse with this "firewall" than without, because the port forwarding in the router can be configured to circumvent Netbios filters that your ISP may have in place to protect you. The easiest way to prevent this attack is to change the password from "1234".

It might be possible for a distant attacker to spoof his IP address as 192.168.0.x, sending a telnet session blind to remove all filters, or using source routing.

It is possible that other devices using the ZyNOS firmware from Zyxel has similar problems.

The manufacturer Netgear has been contacted but they just ignored it.


Communicate in total privacy.
Get your free encrypted email at https://www.hushmail.com/?l=2

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

Relevant Pages

  • Re: Question about bridge to WAP11
    ... I set that up on the WAP11, set the WRT54G to router ... Is there some other firmware I should try? ... But none of the wired machines can get internet access. ... My wired router is the DHCP server ...
  • Re: hostname with DHCP
    ... > Why would not a DHCP server supply a hostname? ... by my ISP. ... Its firmware does not allow me to store a localized ...