Title:======
Netgear WPN824v3 Unauthorized Config Download
Date:=====2013-06-03
Introduction:=============
The Netgear RangeMax Wireless Router (model WPN824v3) allows to download
the config file without authorization.
Status:========
Published
Affected Products:==================
Netgear WPN824v3
Vendor Homepage:================
http://support.netgear.com/product/WPN824v3
Exploitation-Technique:=======================
Local and Remote
Details:========
I found a bug in the Netgear WPN824v3 wireless router, everyone is able
to download the full config file without authorization.
Unfortunately the config fileisnot htaccess protected.
Tested with latest firmware V1.0.8_1.0.6.
Proof of Concept:=================
The vulnerability can be exploited with your browser:
http://[local-ip]/cgi-bin/NETGEAR_wpn824v3.cfg
If remote management is enabled:
http://[remote-ip]:8080/cgi-bin/NETGEAR_wpn824v3.cfg
Workaround:=========
Disable the remote management feature!
Author:========
Jens Regel <jens@loxiran.de>
