[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Issues in Netgear WGR614 wireless router
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Issues in Netgear WGR614 wireless router
- From: gsuberland@xxxxxxxxx
- Date: Fri, 14 Dec 2012 07:17:47 GMT
I've been reverse engineering the Netgear WGR614 wireless router, which has
been one of the most popular devices shipped by major ISPs in the UK over the
last ten years.
After disassembling the device and identifying the components, I noticed that
the firmware and all settings are stored on a single EEPROM (flash) chip,
specifically a Macronix MX25L1605 SPI 16Mbit EEPROM. Other variants of the
device may use slightly different chips, but they all seem to use SPI EEPROMs
with identical I/O commands. I de-soldered the IC and hooked it up to a
BusPirate, and used it to extract the entire contents of the chip.
I quickly discovered two interesting things:
First, I found a hard-coded credential used for direct serial programming.
Using it requires direct physical access and you have to solder wires onto the
board. Despite this not being particularly interesting, this issue has been
assigned as CVE-2012-6340 anyway. It's always good to have the information out
there.
Second, I noticed that there were multiple copies of my config file, and all
passwords (for both control panel and wifi) within them are plain-text. It
turns out that, in order to prevent config file corruption, the router
re-generates the entire config file and writes a new copy directly after the
previous one. It then activates the new config, and soft-deletes the old file
by removing its entry from a list. Once you've changed the config several times
(about 11 on this device), it hits the end of the flash chip's storage and
cycles back to the original address. However, it does not actually wipe the old
config files.
This issue, assigned CVE-2012-6341, results in the ability to recover all
previously used passwords on the device, for both the control panel and
WEP/WPA/WPA2, in plaintext. A factory reset does not fix this; it simply
restores a default config file onto the lower address. As such, an attacker who
steals the device may recover the last-used passwords and config, as well as
many previous passwords and configuration data. There also seems to be some
storage of DHCP client information, but the data I have is inconclusive due to
it being partially overwritten.
This has been confirmed on the WGR614v7 and WGR614v9 models, and is expected to
be the case on all other revisions. It also looks like the WGR624 model has the
same design, so other models in the same series may be affected too.