Product: Netgear CG3100D Residential Gateway

Vendor: http://www.netgear.com

Discovered: August 30, 2010

Disclosed: October 14, 2010



I. DESCRIPTION


The Netgear  CG3100D Residential Gateway with firmware version 5.5.2 (and
probably other CG3000/CG3100 models with the same firmware) has several bugs
that would allow remote auth, privilege escalation and denegation of
service.


II. DETAILS


HTTP server allows privilege escalation.

The web server listening on port 80 and 443 on the router does not control
access to files, it simply sets a menu according to which user login has
been made. Thus, a user with lesser permissions, admin, could load the menu
of the user with more privileges, NETGEAR_SE simply accessing
http://192.168.1.1/__SeContents.html

The reverse can also be done, the user admin can access NETGEAR_SE menus by
accesing http://192.168.1.1/contentsres.asp


SSH server allows user authentication bypass with no password (NETGEAR_SE
and MSO).

The SSH server that incorporates the router allows the introduction of blank
passwords to users NETGEAR_SE and MSO. This behavior does not occur with
users superuser and admin of the router.

Because of this failure, both users can access with their password and a
blank password. Changing password does not resolve this issue.


Print server triggers reset on the router.

The router print server listening on port 1024 and 9100 causes an
involuntary reset on the router when you open a connection but no job is
sent. This bug can be reproduced by opening a telnet to 192.168.1.1:9100 and
keeping the connection open. After a few seconds, the watchdog process
trigger a reset.

III. VENDOR RESPONSE

2010/08/30 - Notified to vendor (security@netgear.com) - no response
received.
2010/09/30 - Notified again - no response received.


-- 
--
Alejandro Alvarez Bravo
alex.a.bravo@gmail.com