Three vulnerabilities have been identified in the firmware for NETGEAR DGN-2200v1 series devices that combine the functions of an ADSL modem, router, and wireless access point, allowing you to perform any operations in the web interface without passing authentication.
The first vulnerability is caused by the fact that the http server code has a hardcoded ability to directly access images, CSS, and other auxiliary files, which does not require authentication. The code contains a request check against masks of typical file names and extensions, implemented by searching for a substring in the entire URL, including in the request parameters. If there is a substring, the page is returned without checking the entrance to the web interface. An attack on devices comes down to adding a name that is present in the list to the request, for example, to access the WAN interface settings, you can send a request "https://10.0.0.1/WAN_wan.htm?pic.gif".
The second vulnerability is caused by the use of the strcmp function when comparing username and password. In strcmp, the comparison is done character by character until either a difference or a null character is reached, identifying the end of the string. An attacker can try to guess the password by step-by-step sorting through the characters and analyzing the time until the authentication error is displayed - if the cost has increased, then the correct character has been selected and you can proceed to the selection of the next character in the string.
The third vulnerability allows extracting the password from a configuration save dump, which can be obtained by exploiting the first vulnerability (for example, by sending the request "http://10.0.0.1:8080/NETGEAR_DGN2200.cfg?pic.gif)". The password is present in the dump in encrypted form, but the DES algorithm and the permanent key "NtgrBak" are used for encryption, which can be extracted from the firmware.
To exploit vulnerabilities, it should be possible to send a request to the network port on which the web interface is running (an attack can be carried out from an external network, for example, using the “DNS rebinding” technique). The problems have already been fixed in firmware update 1.0.0.60.
Source: opennet.ru