Hola,
Necesitaría que varios usuarios del CG3100 prueben esto y me confirmen que sus routers se comportan igual que el mio:
Prueba 1. Conectamos con el navegador por http a la web de configuración del netgear http://192.168.1.1. Entraremos con el usuario admin. Una vez que hayais accedido cambiar en la barra de navegación la dirección por 192.168.1.1/__SeContents.html ¿Os permite acceder al menu del usuario NETGEAR_SE?
Prueba 2. Conectar por ssh (ssh -p 22 NETGEAR_SE@192.168.1.1), cuando salga el mensaje que pida la contraseña simplemente darle al intro sin poner contraseña ¿Sale el prompt del router (CG3100>)?
Prueba 3. Conectar por telnet al router (telnet 192.168.1.1:9100), dar un par de intros en la consola y esperar ¿Se reinicia el router?
Estos fallos están notificados a security@netgear.com desde el 29 de Agosto de 2010, 15 días despues se les envió documentación extendida sobre los fallos.Aún no han contestado reconociendo los fallos de su software.
Os dejo el correo que se le envio a Netgear:
Dear Sir/Madam
A month ago I contacted with this address to inform of failures with your product CG3100D Residential Gateway but have not recieved any response.
I look forward to hearing from you.
Yours faithfully
Product: Netgear CG3100D Residential Gateway
Vendor: netgear.com
Discovered: August 30, 2010
I. DESCRIPTION
The Netgear CG3100D Residential Gateway with firmware version 5.5.2 (and probably other CG3000/CG3100 models with the same firmware) has several bugs that would allow remote auth, privilege escalation and denegation of service.
II. DETAILS
HTTP server allows privilege escalation.
The web server listening on port 80 and 443 on the router does not control access to files, it simply sets a menu according to which user login has been made. Thus, a user with lesser permissions, admin, could load the menu of the user with more privileges, NETGEAR_SE simply accessing 192.168.1.1/__SeContents.html
The reverse can also be done, the user NETGEAR_SE can access admin menus by accesing 192.168.1.1/contentsres.asp
SSH server allow user authentication with no password (NETGEAR_SE and MSO).
The SSH server that incorporates the router allows the introduction of blank passwords to users NETGEAR_SE and MSO. This behavior does not occur with users superuser and admin of the router.
Because of this failure, both users can access both with their password and blank password. Changing password does not resolve this issue.
Print server triggers reset on the router.
The router print server listening on port 1024 and 9100 causes an involuntary reset on the router when you open a connection but no job is sent. This bug can be reproduced by opening a telnet to 192.168.1.1:9100 and keeping the connection open. After a few seconds, the watchdog process trigger a reset.