[wlanfhain] Netgear WG602 Accesspoint vulnerability (fwd)

Marlen Caemmerer nosy
Fr Jun 4 15:08:15 CEST 2004

---------- Forwarded message ----------
Date: Thu, 3 Jun 2004 19:35:22 +0200 (CEST)
From: Tom Knienieder <knienieder at khamsin.ch>
To: full-disclosure at lists.netsys.com, bugtraq at securityfocus.com,
     vulnwatch at vulnwatch.org, newstips at heise.de, cert at cert.org
Subject: Netgear WG602 Accesspoint vulnerability

KHAMSIN Security News
KSN Reference: 2004-06-03 0001 TIP

         The Netgear WG602 Accesspoint contains an undocumented
         administrative account.



The webinterface which is reachable from both interfaces (LAN/WLAN)
contains an undocumented administrative account which cannot be disabled.

Any user logging in with the username "super" and the password "5777364"
is in complete control of the device.

This vulnerability can be exploited by any person which is able to reach
the webinterface of the device with a webbrowser.

A search on Google revealed that "5777364" is actually the phonenumber
of z-com Taiwan which develops and offers WLAN equipment for its OEM

Currently it is unknown whether other Vendors are shipping products
based on z-com OEM designs.

Systems Affected

         Vulnerable (verified)
                 WG602 with Firmware Version 1.04.0

         Possibly vulnerable (not verified)
                 WG602 with other Firmware Versions
                 All other z-com derived WLAN Accesspoints

Proof of concept

         Download the WG602 Version 1.5.67 firmware from Netgear
         ( http://kbserver.netgear.com/support_details.asp?dnldID=366 )
         and run the following shell commands on a UNIX box:

         $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz
         $ zcat rd.img.gz | strings | grep -A5 -B5 5777364

         Which results in the following output:

                 super 			<---- Username
                 5777364 		<---- Password


         This advisory does not claim to be complete or to be usable for
         any purpose. Especially information on the vulnerable systems may
         be inaccurate or wrong. Possibly supplied exploit code is not to
         be used for malicious purposes, but for educational purposes only.
         This advisory is free for open distribution in unmodified form.


KHAMSIN Security GmbH     Zuercherstr. 204 / CH-9014 St. Gallen

Mehr Informationen über die Mailingliste Berlin