hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Jun 3 2004, 11:20 PM
QUOTE


KHAMSIN Security News
KSN Reference: 2004-06-03 0001 TIP
---------------------------------------------------------------------------


Title
-----
        The Netgear WG602 Accesspoint contains an undocumented
        administrative account.


Date


----
        2004-06-03
Description
-----------
The webinterface which is reachable from both interfaces (LAN/WLAN)
contains an undocumented administrative account which cannot be disabled.
Any user logging in with the username "super" and the password "5777364"
is in complete control of the device.
This vulnerability can be exploited by any person which is able to reach
the webinterface of the device with a webbrowser.
A search on Google revealed that "5777364" is actually the phonenumber
of z-com Taiwan which develops and offers WLAN equipment for its OEM
customers.
Currently it is unknown whether other Vendors are shipping products
based on z-com OEM designs.
Systems Affected
----------------
        Vulnerable (verified)
                WG602 with Firmware Version 1.04.0
        Possibly vulnerable (not verified)
                WG602 with other Firmware Versions
                WG602v2
                All other z-com derived WLAN Accesspoints
Proof of concept
----------------
        Download the WG602 Version 1.5.67 firmware from Netgear
        ( http://kbserver.netgear.com/support_details.asp?dnldID=366 )
        and run the following shell commands on a UNIX box:
        $ dd if=wg602_1.5.67_firmware.img bs=1 skip=425716 > rd.img.gz
        $ zcat rd.img.gz | strings | grep -A5 -B5 5777364
        Which results in the following output:
                %08lx:%08lx:%s
                %08lx%08lx%08lx%08lx
                Authorization
                BASIC
                super    <---- Username
                5777364  <---- Password
                %02x
                Content-length
                HTTP_USER_AGENT
                HTTP_ACCEPT
                SERVER_PROTOCOL
Disclaimer
----------
        This advisory does not claim to be complete or to be usable for
        any purpose. Especially information on the vulnerable systems may
        be inaccurate or wrong. Possibly supplied exploit code is not to
        be used for malicious purposes, but for educational purposes only.
        This advisory is free for open distribution in unmodified form.
        http://www.khamsin.ch



Source: http://seclists.org/lists/bugtraq/2004/Jun/0044.html
tweakz20
Jun 3 2004, 11:25 PM
this one's fun.. it's like the idiots are making some kind of conspiracy... but how would you determine what kind of access point they're running while wardriving? huh.gif
qcred11
Jun 3 2004, 11:33 PM
Hmmm good question... Will be nice to have some kinda software which can determine what access point are in use...
qcred11
Jun 4 2004, 06:56 PM
Just got the information that the WG602v2 is not vulnerable.

PiP
Jun 6 2004, 04:22 PM
QUOTE (qcred11 @ Jun 4 2004, 06:56 PM)
Just got the information that the WG602v2 is not vulnerable.

yeh, there seems to be alot of debate over if it is vnerable or not, a few people have came out attacking heh

but for anyone wanting to try this here is some more info that may or may not be reliable (from bugtraq)
QUOTE

I can confirm that this vulnerability still exists in the latest firmware upgrade(1.7.14) for the WG602.  They've simply gone and changed the username to superman and password to 21241036.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.