Full Disclosure mailing list archives
Netgear WG602 Accesspoint vulnerability
From: Tom Knienieder <knienieder () khamsin ch>
Date: Thu, 3 Jun 2004 19:35:22 +0200 (CEST)
KHAMSIN Security News KSN Reference: 2004-06-03 0001 TIP --------------------------------------------------------------------------- Title ----- The Netgear WG602 Accesspoint contains an undocumented administrative account. Date ---- 2004-06-03 Description ----------- The webinterface which is reachable from both interfaces (LAN/WLAN) contains an undocumented administrative account which cannot be disabled. Any user logging in with the username "super" and the password "5777364" is in complete control of the device. This vulnerability can be exploited by any person which is able to reach the webinterface of the device with a webbrowser. A search on Google revealed that "5777364" is actually the phonenumber of z-com Taiwan which develops and offers WLAN equipment for its OEM customers. Currently it is unknown whether other Vendors are shipping products based on z-com OEM designs. Systems Affected ---------------- Vulnerable (verified) WG602 with Firmware Version 1.04.0 Possibly vulnerable (not verified) WG602 with other Firmware Versions WG602v2 All other z-com derived WLAN Accesspoints Proof of concept ---------------- Download the WG602 Version 1.5.67 firmware from Netgear ( http://kbserver.netgear.com/support_details.asp?dnldID=366 ) and run the following shell commands on a UNIX box: $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz $ zcat rd.img.gz | strings | grep -A5 -B5 5777364 Which results in the following output: %08lx:%08lx:%s %08lx%08lx%08lx%08lx Authorization BASIC super <---- Username 5777364 <---- Password %02x Content-length HTTP_USER_AGENT HTTP_ACCEPT SERVER_PROTOCOL Disclaimer ---------- This advisory does not claim to be complete or to be usable for any purpose. Especially information on the vulnerable systems may be inaccurate or wrong. Possibly supplied exploit code is not to be used for malicious purposes, but for educational purposes only. This advisory is free for open distribution in unmodified form. http://www.khamsin.ch --------------------------------------------------------------- KHAMSIN Security GmbH Zuercherstr. 204 / CH-9014 St. Gallen http://www.khamsin.ch --------------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Netgear WG602 Accesspoint vulnerability Tom Knienieder (Jun 03)
- Re: Netgear WG602 Accesspoint vulnerability Lupe Christoph (Jun 03)
- Re: Netgear WG602 Accesspoint vulnerability James Garrison (Jun 05)
- Re: Re: Netgear WG602 Accesspoint vulnerability Jan Jungnickel (Jun 07)
- Re: Re: Netgear WG602 Accesspoint vulnerability pera (Jun 08)
- Re: Re: Netgear WG602 Accesspoint vulnerability Jan Jungnickel (Jun 08)
- Re: Re: Netgear WG602 Accesspoint vulnerability Rip Toren (Jun 08)
- Re: Re: Netgear WG602 Accesspoint vulnerability die tuere (Jun 08)
- Re: Netgear WG602 Accesspoint vulnerability James Garrison (Jun 05)
- Re: Netgear WG602 Accesspoint vulnerability Lupe Christoph (Jun 03)