WARNING: Netgear WG602 Accesspoint contains an undocumented administrative account.

hevnsnt

Lifer
Mar 18, 2000
10,868
1
0
I have removed the password, but wanted to make you all aware!!


KHAMSIN Security News
KSN Reference: 2004-06-03 0001 TIP
---------------------------------------------------------------------------

Title
-----
The Netgear WG602 Accesspoint contains an undocumented
administrative account.

Date
----
2004-06-03


Description
-----------

The webinterface which is reachable from both interfaces (LAN/WLAN) contains an undocumented administrative account which cannot be disabled.

Any user logging in with the username "super" and the password REMOVED is in complete control of the device.

This vulnerability can be exploited by any person which is able to reach the webinterface of the device with a webbrowser.

A search on Google revealed that REMOVED is actually the phonenumber of z-com Taiwan which develops and offers WLAN equipment for its OEM customers.

Currently it is unknown whether other Vendors are shipping products based on z-com OEM designs.


Systems Affected
----------------

Vulnerable (verified)
WG602 with Firmware Version 1.04.0

Possibly vulnerable (not verified)
WG602 with other Firmware Versions
WG602v2
All other z-com derived WLAN Accesspoints


Proof of concept
----------------

Download the WG602 Version 1.5.67 firmware from Netgear
( http://kbserver.netgear.com/support_details.asp?dnldID=366 )
and run the following shell commands on a UNIX box:

$ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz
$ zcat rd.img.gz | strings | grep -A5 -B5 REMOVED

Which results in the following output:

%08lx:%08lx:%s
%08lx%08lx%08lx%08lx
Authorization
BASIC
super <---- Username
REMOVED <---- Password
%02x
Content-length
HTTP_USER_AGENT
HTTP_ACCEPT
SERVER_PROTOCOL

Disclaimer
----------

This advisory does not claim to be complete or to be usable for
any purpose. Especially information on the vulnerable systems may
be inaccurate or wrong. Possibly supplied exploit code is not to
be used for malicious purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.

http://www.khamsin.ch



---------------------------------------------------------------
KHAMSIN Security GmbH Zuercherstr. 204 / CH-9014 St. Gallen
http://www.khamsin.ch
---------------------------------------------------------------