#!/zitstif.no-ip.org/

Website/Company: http://zitstif.no-ip.org
E-mail: zitstif[at]gmail.com

Name: Kyle Young

Device: Netgear RP614v4
Firmware version: v1.1.2_09.01
Firmware release date: November 2009
HTTP service: Boa HTTPd 0.93.15
Exploit release date: Wednesday March 24, 2010

Default router credentials:
username: admin
password: password

Scope: Local/Remote

Vulnerability:

The Netgear RP614v4 is susceptible to an end user making a request for the netgear.cfg file which is located at:

http://[RouterIP]/vgn/jsp/netgear.cfg

This file, is a plain text ASCII file that contains the router’s password at line 216, which looks similar to this:

http_passwd=myvulnerablepassword

You don’t have to authenticate to obtain this file at all.

The qualm with this exploit is that, it works in the LAN that the router is on, or even remotely over a WAN, that is if the remote administration
option is enabled and the default port for this is 8080.

PoC: http://zitstif.no-ip.org/rp614v4/rp614v4exploit.txt

Additional notes:

After discovering this vulnerability, I’ve noticed with other routers that have http based administration, is that you can make requests for config files without authenticating. However, this does not always work and at times the config file is obfuscated.

From my experience, most of the config files for routers are in a binary format and can be viewed with a program like ‘bvi‘. At times, you can view credentials to the device and also PPPoE credentials.

I’m reporting this vulnerability to securityfocus.com, due to the lack of support on Netgear’s end.