[WLANware] FW: [wlanfhain] Netgear WG602 Accesspoint vulnerability (fwd)

Juergen Neumann j.neumann
Mo Jun 7 11:20:28 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----

FYI:

> -----Original Message-----
> From: wlanfhain-bounce at databang.org
> [mailto:wlanfhain-bounce at databang.org]On Behalf Of Marlen Caemmerer
> Sent: Friday, June 04, 2004 3:08 PM
> To: wlanfhain at databang.org
> Subject: [wlanfhain] Netgear WG602 Accesspoint vulnerability (fwd)
> 
> 
> 
> 
> 
> ---------- Forwarded message ----------
> Date: Thu, 3 Jun 2004 19:35:22 +0200 (CEST)
> From: Tom Knienieder <knienieder at khamsin.ch>
> To: full-disclosure at lists.netsys.com, bugtraq at securityfocus.com,
>      vulnwatch at vulnwatch.org, newstips at heise.de, cert at cert.org
> Subject: Netgear WG602 Accesspoint vulnerability
> 
> 
> 
> KHAMSIN Security News
> KSN Reference: 2004-06-03 0001 TIP
> --------------------------------------------------------------
> -------------
> 
> Title
> -----
>          The Netgear WG602 Accesspoint contains an undocumented
>          administrative account.
> 
> Date
> ----
>          2004-06-03
> 
> 
> Description
> -----------
> 
> The webinterface which is reachable from both interfaces (LAN/WLAN)
> contains an undocumented administrative account which cannot 
> be disabled.
> 
> Any user logging in with the username "super" and the 
> password "5777364"
> is in complete control of the device.
> 
> This vulnerability can be exploited by any person which is 
> able to reach
> the webinterface of the device with a webbrowser.
> 
> A search on Google revealed that "5777364" is actually the phonenumber
> of z-com Taiwan which develops and offers WLAN equipment for its OEM
> customers.
> 
> Currently it is unknown whether other Vendors are shipping products
> based on z-com OEM designs.
> 
> 
> Systems Affected
> ----------------
> 
>          Vulnerable (verified)
>                  WG602 with Firmware Version 1.04.0
> 
>          Possibly vulnerable (not verified)
>                  WG602 with other Firmware Versions
>                  WG602v2
>                  All other z-com derived WLAN Accesspoints
> 
> 
> Proof of concept
> ----------------
> 
>          Download the WG602 Version 1.5.67 firmware from Netgear
>          ( 
http://kbserver.netgear.com/support_details.asp?dnldID=366 )
         and run the following shell commands on a UNIX box:

         $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz
         $ zcat rd.img.gz | strings | grep -A5 -B5 5777364

         Which results in the following output:

                 %08lx:%08lx:%s
                 %08lx%08lx%08lx%08lx
                 Authorization
                 BASIC
                 super 			<---- Username
                 5777364 		<---- Password
                 %02x
                 Content-length
                 HTTP_USER_AGENT
                 HTTP_ACCEPT
                 SERVER_PROTOCOL

Disclaimer
- ----------

         This advisory does not claim to be complete or to be usable for
         any purpose. Especially information on the vulnerable systems may
         be inaccurate or wrong. Possibly supplied exploit code is not to
         be used for malicious purposes, but for educational purposes only.
         This advisory is free for open distribution in unmodified form.

         http://www.khamsin.ch



- ---------------------------------------------------------------
KHAMSIN Security GmbH     Zuercherstr. 204 / CH-9014 St. Gallen
http://www.khamsin.ch
- ---------------------------------------------------------------












- ---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.700 / Virus Database: 457 - Release Date: 06.06.2004

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBQMQlTN3z6c5eZCFlAQEegggAmq1JSi4+39vVKZ8lysPUQ8R2an3nwnIq
tkZNSvepjUjc7WmP/SreYR9+OEHkl5Dj7x0HHnr8uZO4IvYhFB1t/2Z5NWxuZFDu
KQuUaKDoBPYKSFg1nqku3r0PQJrvPDt7zzaD7oEhTIiiY+hKGtb4a+3BM7WXerhX
DG/mqkFZyEcPkJXwun0bvVkpNq6Z0K8IuiUBU01LOiuV64EWeOj1gvl6P7i1UuXg
yLYPMzvKxPLF3iWFU9hho19o74VEoXw5jRRn/JVPlo5LwZAW9xLoJQlxcKznFlRo
6BW76lUKMV5o1c6S2DmphJ06i7ZEdNqKJn9oxUrvN8QkypM8rboI8A==
=DSz3
-----END PGP SIGNATURE-----

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.700 / Virus Database: 457 - Release Date: 06.06.2004

_______________________________________________
WLANware mailing list
WLANware at freifunk.net
http://freifunk.net/mailman/listinfo/wlanware





Mehr Informationen über die Mailingliste Berlin