Netgear DGN2200 stores credentials as plain text – allows full access in local subnet

In my previous post I made the remark that the telnet interface for my Netgear router does not require credentials. As such, you already have full root access the moment you connect.

After some digging I found that the web interface credentials are not encrypted at all. The contents of the /etc/passwd file are readable by the (Telnet) “nobody” user, with full access. Example output:

~ # whoami
nobody
~ # cat /etc/passwd
nobody:*:0:0:nobody:/:/bin/sh
admin:fakepass:0:0:admin:/:/bin/sh
guest:guest:0:0:guest:/:/bin/sh

There is no /etc/shadow file.

This means that anyone on the local subnet (connected via Wifi at a coffee shop for example) can enable Telnet, and get the password for the web interface.

This is the latest firmware (version V1.0.0.37_1.0.21WW) available for this router.

How I fixed my Netgear router’s broken webserver

A couple of nights ago we had some stormy weather that resulted in a power outage. The night was filled with lightning strikes and the following morning I found myself unable to connect to the internet.

After attempting to log into the web interface of my router (and failing) I pinged it and realised that it was still running fine. Numerous reboots followed during which I discovered that the web interface actually worked, but only for about 30 seconds after booting, after which it stopped responding to requests entirely.

It was in these 30 second moments of insight that I found that my DNS settings were erased (I assume this was due to the bad weather), so I quickly fixed it. I finally had a working internet connection again, and set about fixing the web interface.

After a bit of research it became clear that the only other option of connecting was via Telnet, but telnet was disable by default. Further digging lead me to this tool used by Netgear technicians to temporarily enable Telnet access while connected in the router’s subnet. Oddly enough, after connecting I found that it didn’t require any authentication. This came as quite a surprise and I suspect that there is no easy way to fix this.

Anyway, I now had full root access to my router’s (somewhat outdated) Linux OS. I checked top and noticed that httpd was still running, and yet it was not responding to requests. Shortly after restarting the daemon manually I found that the web interface was working fine once again, and for longer than 30 seconds. I used it to run a firmware upgrade which solved the problem entirely. The web interface was fine once again, and I didn’t notice any permanent lightning damage.

A quick how-to for the Telnet tool:
It must be run on the router’s local subnet, otherwise it won’t respond and you need to use the following command:
telnetEnable.exe <Router’s IP> <Router’s MAC Address with all separators such as colons removed, and all letters in caps> Gearguy Geardog
For example:
telnetEnable.exe 192.168.0.1 30469A24067F Gearguy Geardog

That should enable Telnet on your router until the next reboot.