Netgear Telnet Enable utility allows attackers to gain root priviledges

[JudasIscariot]

Hey all,

I don't know how many of you know about this vulnerability but I figured I would share this with you just in case.

Netgear has issued a utility that allows you to access your Netgear router via telnet. Now, this might seem like an innocent little utility but what about when a potential attacker uses this utility?

This utility lets you bypass the web interface screen AND, for most routers, it gives you a BusyBox shell that can reveal in plaintext the user name and password used to access the web interface screen.

http://code.google.com/p/netgear-telnetenable/ This is the python version of Netgear's telnet utility.

I tested this utility with a Netgear WNDR3700 and was able to use the "config show" to see what the login and username was for the web iinterface.

http://wiki.openwrt.org/toh/netgear/telnet.console This wiki page shows most of the models that may be affected by this utility.

One positive about this is that the potential attacker needs to have local access to the network but, on the other hand, most, if not all, Netgear routers have WPS and, thus, using Reaver and waiting for it to unlock the WPS PIN, the potential attacker can have access to the network AND root priviledges on the router which would allow him/her to open ports, clear logs, cause a Denial of Service, and much more.

I hope my post wasn't too long and rambling :D.

Have a nice day.