Netgear CG3000v2 Password Change Bypass

2016-03-16T00:00:00
ID PACKETSTORM:136254
Type packetstorm
Reporter Paul Szabo
Modified 2016-03-16T00:00:00

Description

                                        
                                            `I noticed a security issue in my Netgear CG3000v2 cable modem, as  
provided by Optus (an Australian phone/communications provider).  
  
The "admin password" can be changed on the web interface, without  
providing the current password. The page  
http://192.168.0.1/SetPassword.asp  
prompts for old and new passwords (and repeat of new), but in fact  
ignores the old password provided, and changes the password to the  
new one, regardless.  
  
This issue could be exploited via CSRF, to change the password  
while the user happens to be logged in. I do not know what  
practical benefit an attacker would then gain; maybe not much,  
seeing how most modems would be left at the default setting of  
admin/password as per  
http://www.optus.com.au/shop/support/answer/modem-wifi-username-password-help?requestType=NormalRequest&id=1752&typeId=5  
  
I do not know whether the same issue affects other modems or routers.  
  
I reported the issue to Netgear (support case #26592620) but they  
did not seem interested.  
  
Cheers, Paul  
  
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/  
School of Mathematics and Statistics University of Sydney Australia  
  
  
`