I have recently found a vulnerability on my Netgear Managed Switch I use at home. Its an information disclosure vulnerability.
Basically the web management application fails to restrict URL access to different application areas. Remote, unauthenticated attackers could exploit this issue to download the device’s startup-config, which contains administrator credentials in encrypted form.
All we need to do to get a hold of this information is to do a simple wget. This drags the config file down to our machine, collecting valuable intel that can be used later.
I am on the latest firmware available at the time of post 22.214.171.124 , this works on older firmware also. I tested it on 126.96.36.199 and same results.
you can then cat the file or load it up in gedit / nano.
As you can see i now have the config file available to see in plain text.
What is worrying is that the username is stored in plain text and a hash of the password is also there for people to copy and take away and run via hashcat or john the ripper…
thanks netgear for making this easier for people to pwn my managed switch and allowing them if they get in to screw with the whole network …