Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Issues in Netgear WGR614 wireless router
From: Liam <liamtr () gmail com>
Date: Sat, 15 Dec 2012 11:29:06 +1100

Is the EEPROM easily removable or does it need to be unsoldered? Any chance you have a picture of the chip (preferably while still on the board) so those of us who care can either remove or smash it before turfing one of these routers out (to prevent dumpster divers potentially recovering such data)?



On 14/12/2012 6:17 PM, gsuberland () gmail com wrote:
I've been reverse engineering the Netgear WGR614 wireless router, which has been one of the most popular devices 
shipped by major ISPs in the UK over the last ten years.

After disassembling the device and identifying the components, I noticed that the firmware and all settings are stored 
on a single EEPROM (flash) chip, specifically a Macronix MX25L1605 SPI 16Mbit EEPROM. Other variants of the device may 
use slightly different chips, but they all seem to use SPI EEPROMs with identical I/O commands. I de-soldered the IC 
and hooked it up to a BusPirate, and used it to extract the entire contents of the chip.

I quickly discovered two interesting things:

First, I found a hard-coded credential used for direct serial programming. Using it requires direct physical access and you 
have to solder wires onto the board. Despite this not being particularly interesting, this issue has been assigned as 
CVE-2012-6340 anyway. It's always good to have the information out there.

Second, I noticed that there were multiple copies of my config file, and all passwords (for both control panel and wifi) within 
them are plain-text. It turns out that, in order to prevent config file corruption, the router re-generates the entire config 
file and writes a new copy directly after the previous one. It then activates the new config, and soft-deletes the old file by 
removing its entry from a list. Once you've changed the config several times (about 11 on this device), it hits the end of 
the flash chip's storage and cycles back to the original address. However, it does not actually wipe the old config files.

This issue, assigned CVE-2012-6341, results in the ability to recover all previously used passwords on the device, for 
both the control panel and WEP/WPA/WPA2, in plaintext. A factory reset does not fix this; it simply restores a default 
config file onto the lower address. As such, an attacker who steals the device may recover the last-used passwords and 
config, as well as many previous passwords and configuration data. There also seems to be some storage of DHCP client 
information, but the data I have is inconclusive due to it being partially overwritten.

This has been confirmed on the WGR614v7 and WGR614v9 models, and is expected to be the case on all other revisions. It 
also looks like the WGR624 model has the same design, so other models in the same series may be affected too.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]