2012-01-06

WNDR3800 backdoor

The Netgear WNDR3800 firmware is a version of OpenWRT, and that's one of the reasons I've bought this router.
While being open is a good thing, being wide open maybe it's not.

This firmware has a backdoor, enabled by a simple utility (the windows version is available directly from the Netgear support site).
Once executed, it gives root access to the router without any authentication.
Consequences may vary from simple denial of service (you can reboot at will), or something more elaborate: download the /etc/shadow file, run John the Ripper, and get the admin password. Then, logging on with the web interface, you can flash a full version of OpenWRT, install tcpdump and capture all unencrypted traffic.

Problem is that the backdoor can be enabled by any device connected to the router, even via wireless; so be aware that allowing someone to simply use your connection, means giving them full root access.
The backdoor is not accessible from the Guest Network, so if you are going to allow someone to use your wireless, at least give them only the Guest Network.

2 comments:

  1. Thanks for this!

    ReplyDelete
  2. Anonymous4/3/14 12:27

    Sorry for necroposting, but in 2014 Mar. the proplem is still there and this page still on the top 5 google results.
    I used "telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog" on my wndr3800 with stock firmware v1.0.0.48, then "cmd" -> "telnet 192.168.1.1" to log in without any password as OP said. There was a note on top of telnet window "Use 'passwd' to set your login password this will disable telnet and enable SSH" so i did. After i shut down telnet i am unable to connect with 'telnet 192.168.1.1', it just keeps telling me "Login failed". I can't log in on SSH via putty either as SSH is not a part of stock firmware AFAIK. "telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog" executes without error, but neither telnet nor ssh doesn't connect succesfully. Does it (completely breaking telnet on my router) counts for workaround (personally i never even use telnet) or it there a way to fix telnet (and the backdoor) without reverting to factory defaults?

    ReplyDelete