53 lines
No EOL
1 KiB
Text
53 lines
No EOL
1 KiB
Text
Title:
|
|
======
|
|
Netgear WPN824v3 Unauthorized Config Download
|
|
|
|
Date:
|
|
=====
|
|
2013-06-03
|
|
|
|
Introduction:
|
|
=============
|
|
The Netgear RangeMax Wireless Router (model WPN824v3) allows to download
|
|
the config file without authorization.
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
Affected Products:
|
|
==================
|
|
Netgear WPN824v3
|
|
|
|
Vendor Homepage:
|
|
================
|
|
http://support.netgear.com/product/WPN824v3
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Local and Remote
|
|
|
|
Details:
|
|
========
|
|
I found a bug in the Netgear WPN824v3 wireless router, everyone is able
|
|
to download the full config file without authorization.
|
|
Unfortunately the config file is not htaccess protected.
|
|
Tested with latest firmware V1.0.8_1.0.6.
|
|
|
|
Proof of Concept:
|
|
=================
|
|
The vulnerability can be exploited with your browser:
|
|
|
|
http://[local-ip]/cgi-bin/NETGEAR_wpn824v3.cfg
|
|
|
|
If remote management is enabled:
|
|
|
|
http://[remote-ip]:8080/cgi-bin/NETGEAR_wpn824v3.cfg
|
|
|
|
Workaround:
|
|
=========
|
|
Disable the remote management feature!
|
|
|
|
Author:
|
|
========
|
|
Jens Regel <jens@loxiran.de> |