Netgear WPN824v3 Unauthorized Config Download

vendor:

WPN824v3

by:

Jens Regel

4,3

CVSS

MEDIUM

Unauthorized Config Download

N/A

CWE

Product Name: WPN824v3

Affected Version From: V1.0.8_1.0.6

Affected Version To: V1.0.8_1.0.6

Patch Exists: NO

Related CWE: N/A

CPE: h:netgear:wpn824v3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Local and Remote

2013

Netgear WPN824v3 Unauthorized Config Download

The Netgear RangeMax Wireless Router (model WPN824v3) allows to download the config file without authorization. The vulnerability can be exploited with your browser: http://[local-ip]/cgi-bin/NETGEAR_wpn824v3.cfg. If remote management is enabled: http://[remote-ip]:8080/cgi-bin/NETGEAR_wpn824v3.cfg

Mitigation:

Disable the remote management feature!

Source

Exploit-DB raw data:

Title:
======
Netgear WPN824v3 Unauthorized Config Download

Date:
=====
2013-06-03

Introduction:
=============
The Netgear RangeMax Wireless Router (model WPN824v3) allows to download
the config file without authorization.

Status:
========
Published

Affected Products:
==================
Netgear WPN824v3

Vendor Homepage:
================
http://support.netgear.com/product/WPN824v3

Exploitation-Technique:
=======================
Local and Remote

Details:
========
I found a bug in the Netgear WPN824v3 wireless router, everyone is able
to download the full config file without authorization.
Unfortunately the config file is not htaccess protected.
Tested with latest firmware V1.0.8_1.0.6.

Proof of Concept:
=================
The vulnerability can be exploited with your browser:

http://[local-ip]/cgi-bin/NETGEAR_wpn824v3.cfg

If remote management is enabled:

http://[remote-ip]:8080/cgi-bin/NETGEAR_wpn824v3.cfg

Workaround:
=========
Disable the remote management feature!

Author:
========
Jens Regel <jens@loxiran.de>