October 23, 2013, 1:15 PM — Vulnerabilities in the management interfaces of some wireless router and network-attached storage products from Netgear expose the devices to remote attacks that could result in their complete compromise, researchers warn.
The latest hardware revision of Netgear's N600 Wireless Dual-Band Gigabit Router, known as WNDR3700v4, has several vulnerabilities that allow attackers to bypass authentication on the router's Web-based interface, according to Zachary Cutlip, a researcher with security consultancy firm Tactical Network Solutions.
"If you browse to http://<router address>/BRS_02_genieHelp.html, you are allowed to bypass authentication for all pages in the entire administrative interface," Cutlip said Tuesday in a blog post. "But not only that, authentication remains disabled across reboots. And, of course, if remote administration is turned on, this works from the frickin' Internet."
That opens the door to many attack possibilities. For example, an attacker could configure the router to use a malicious DNS (Domain Name System) server, which would allow the attacker to redirect users to malicious websites or set up port forwarding rules to expose internal network services to the Internet.
"Additionally, any command injection or buffer overflow vulnerabilities in the router's Web interface become fair game once authentication is disabled," Cutlip said.
In fact, the researcher already found a vulnerability which, when exploited together with the authentication bypass one, allows an attacker to obtain a root prompt on the router.
"Once the attacker has root on the router, they can easily sniff and manipulate all the users' Internet-bound traffic," Cutlip said Thursday.
The BRS_02_genieHelp.html vulnerability is actually a combination of two separate issues. One is that any interface pages whose names start with "BRS_" can be accessed without authentication.
This is a vulnerability in itself and can lead to sensitive information disclosure. For example, a page called "BRS_success.html" lists the access passwords for the 2.4GHz and 5GHz Wi-Fi networks configured on the router.
The second issue is that when accessed, the BRS_02_genieHelp.html page switches a router configuration setting called "hijack_process" to 1 and this disables authentication for the entire Web interface. The value for the "hijack_process" setting when the router is configured properly is 3.
The same vulnerability was found by researchers from Independent Security Evaluators (ISE) in April in the firmware of the Netgear CENTRIA (WNDR4700) router model. However, the vulnerable URL ISE identified at the time was http://[router_ip]/BRS_03B_haveBackupFile_fileRestore.html.