Lucene search
K

Netgear CG3100D Residential Gateway Privilege Escalation

🗓️ 15 Oct 2010 00:00:00Reported by Alejandro Alvarez BravoType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 33 Views

Netgear CG3100D Residential Gateway Privilege Escalation, multiple vulnerabilities, no vendor response

Code
`Product: Netgear CG3100D Residential Gateway  
  
Vendor: http://www.netgear.com  
  
Discovered: August 30, 2010  
  
Disclosed: October 14, 2010  
  
  
  
I. DESCRIPTION  
  
  
The Netgear CG3100D Residential Gateway with firmware version 5.5.2 (and  
probably other CG3000/CG3100 models with the same firmware) has several bugs  
that would allow remote auth, privilege escalation and denegation of  
service.  
  
  
II. DETAILS  
  
  
HTTP server allows privilege escalation.  
  
The web server listening on port 80 and 443 on the router does not control  
access to files, it simply sets a menu according to which user login has  
been made. Thus, a user with lesser permissions, admin, could load the menu  
of the user with more privileges, NETGEAR_SE simply accessing  
http://192.168.1.1/__SeContents.html  
  
The reverse can also be done, the user admin can access NETGEAR_SE menus by  
accesing http://192.168.1.1/contentsres.asp  
  
  
SSH server allows user authentication bypass with no password (NETGEAR_SE  
and MSO).  
  
The SSH server that incorporates the router allows the introduction of blank  
passwords to users NETGEAR_SE and MSO. This behavior does not occur with  
users superuser and admin of the router.  
  
Because of this failure, both users can access with their password and a  
blank password. Changing password does not resolve this issue.  
  
  
Print server triggers reset on the router.  
  
The router print server listening on port 1024 and 9100 causes an  
involuntary reset on the router when you open a connection but no job is  
sent. This bug can be reproduced by opening a telnet to 192.168.1.1:9100 and  
keeping the connection open. After a few seconds, the watchdog process  
trigger a reset.  
  
III. VENDOR RESPONSE  
  
2010/08/30 - Notified to vendor ([email protected]) - no response  
received.  
2010/09/30 - Notified again - no response received.  
  
  
--   
--  
Alejandro Alvarez Bravo  
[email protected]  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation