Vulnerabilities in NetGear DGN-2200V1 devices that allow control without authentication

In the firmware to the devices of the NetGear DGN-2200V1 , combining the functions of the ADSL modem, router and wireless Access points, detected three vulnerabilities that allow you to perform any operations in the Web interface without passing authentication.

The first vulnerability is caused by the fact that in the HTTP server code, the possibility of direct access to pictures, CSS and other auxiliary files that do not require authentication is tightly stitch. The code has a check query for typical names of files and extensions, implemented through the search for substring throughout the URL, including in the parameters to request. If you have a substring, the page is given without checking the entry into the Web interface. The attack on the device is reduced to adding to the query of the name present in the list, for example, to access the WAN-interface settings, you can send a request “https://10.0.0.1/wan_wan.htm?pic.gif.”

The second appliance is caused by using the STRCMP function when comparing the username and password. In STRCMP, the comparison is carried out in prevail until the differences or a zero character symbol that identifies the end of the string. The attacker may try to choose a password, step-by-step symbols and analyzing the time before the authentication error is output (if the cost has increased, it means that the faithful symbol can be moved to the selection of the next character in the string).

The third vulnerability allows you to extract a password from a configuration dump, which can be obtained by using the first vulnerability (for example, sending a request “https://10.0.0.1:8080/netgear_dgn2200.cfg?pic.gif)”. The password is present in the dump in an encrypted form, but for encryption is used by the DES algorithm and a permanent key “NTGRBAK”, which can be removed from the firmware.

To operate vulnerabilities, it should be possible to send a request to the network port on which a web interface is running (from the external attack network can be performed, for example, using the “DNS Rebinding” technique). Problems have already been fixed in firmware update 1.0.0.60.

/Media reports.