mailing list archives
Netgear CG3000/CG3100 bugs
From: Alejandro Alvarez <alex.a.bravo () gmail com>
Date: Thu, 14 Oct 2010 13:12:34 +0200
Product: Netgear CG3100D Residential Gateway
Discovered: August 30, 2010
Disclosed: October 14, 2010
The Netgear CG3100D Residential Gateway with firmware version 5.5.2 (and
probably other CG3000/CG3100 models with the same firmware) has several bugs
that would allow remote auth, privilege escalation and denegation of
HTTP server allows privilege escalation.
The web server listening on port 80 and 443 on the router does not control
access to files, it simply sets a menu according to which user login has
been made. Thus, a user with lesser permissions, admin, could load the menu
of the user with more privileges, NETGEAR_SE simply accessing
The reverse can also be done, the user admin can access NETGEAR_SE menus by
SSH server allows user authentication bypass with no password (NETGEAR_SE
The SSH server that incorporates the router allows the introduction of blank
passwords to users NETGEAR_SE and MSO. This behavior does not occur with
users superuser and admin of the router.
Because of this failure, both users can access with their password and a
blank password. Changing password does not resolve this issue.
Print server triggers reset on the router.
The router print server listening on port 1024 and 9100 causes an
involuntary reset on the router when you open a connection but no job is
sent. This bug can be reproduced by opening a telnet to 192.168.1.1:9100 and
keeping the connection open. After a few seconds, the watchdog process
trigger a reset.
III. VENDOR RESPONSE
2010/08/30 - Notified to vendor (security () netgear com) - no response
2010/09/30 - Notified again - no response received.
Alejandro Alvarez Bravo
alex.a.bravo () gmail com
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Netgear CG3000/CG3100 bugs Alejandro Alvarez (Oct 14)