Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Netgear CG3000/CG3100 bugs
From: Alejandro Alvarez <alex.a.bravo () gmail com>
Date: Thu, 14 Oct 2010 13:12:34 +0200

Product: Netgear CG3100D Residential Gateway

Vendor: http://www.netgear.com

Discovered: August 30, 2010

Disclosed: October 14, 2010


The Netgear  CG3100D Residential Gateway with firmware version 5.5.2 (and
probably other CG3000/CG3100 models with the same firmware) has several bugs
that would allow remote auth, privilege escalation and denegation of


HTTP server allows privilege escalation.

The web server listening on port 80 and 443 on the router does not control
access to files, it simply sets a menu according to which user login has
been made. Thus, a user with lesser permissions, admin, could load the menu
of the user with more privileges, NETGEAR_SE simply accessing

The reverse can also be done, the user admin can access NETGEAR_SE menus by

SSH server allows user authentication bypass with no password (NETGEAR_SE
and MSO).

The SSH server that incorporates the router allows the introduction of blank
passwords to users NETGEAR_SE and MSO. This behavior does not occur with
users superuser and admin of the router.

Because of this failure, both users can access with their password and a
blank password. Changing password does not resolve this issue.

Print server triggers reset on the router.

The router print server listening on port 1024 and 9100 causes an
involuntary reset on the router when you open a connection but no job is
sent. This bug can be reproduced by opening a telnet to and
keeping the connection open. After a few seconds, the watchdog process
trigger a reset.


2010/08/30 - Notified to vendor (security () netgear com) - no response
2010/09/30 - Notified again - no response received.

Alejandro Alvarez Bravo
alex.a.bravo () gmail com
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Netgear CG3000/CG3100 bugs Alejandro Alvarez (Oct 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]