Re: 4 Years ago in a land far far away.
Hmm, I reported an issue I discovered to Netgear quite some years ago regarding their DG834 range (G,GT,N..) firmware when they were still current routers, that I don't believe was ever fixed.
It was possible to bypass the login details and gain root access, due to no password protection on a sub-directory within the router's Httpd web server directory, plus various shell exploit vulnerabilities in the web interface, which would allow a hacker full root access to the router, including accessing all setting stored on the router, downloading and running binary code from the internet on the router and flashing custom firmware.
It was remotely exploitable as a reflective attack, by getting a victim's browser to request a specially crafted URL by, for example, posting it as an image link in a forum post.
I did consider publicly releasing a temporary fix which used the same exploits to clone the router's web directory to the ram based temp directory, omitting the unprotected setup directory, and set the router's httpd server to use that instead.
I subsequently also discovered that it was possible to inject scripts into the router's NVRAM settings so that they'd survive a reboot and run automatically, so a hacker could fully own the router without even needing to replace the firmware.
All the password vulnerability needed was a link to the password file added to the setup directory to make it password protected. The various shell exploits needed a lot more work to fix, but without the password bypass they wouldn't have been quite so serious.
As far as I know, I believe the only router to be fixed was the Sky supplied dg834gt, and that was only because Sky replaced the standard firmware with a sky customised version which since it didn't require it, had omitted the setup web sub-directory, removing the password bypass vulnerability.
Hopefully most will have been thrown out, or died and gone to landfill by now.
Biting the hand that feeds IT
