Netgear DGN2200 stores credentials as plain text – allows full access in local subnet

In my previous post I made the remark that the telnet interface for my Netgear router does not require credentials. As such, you already have full root access the moment you connect.

After some digging I found that the web interface credentials are not encrypted at all. The contents of the /etc/passwd file are readable by the (Telnet) “nobody” user, with full access. Example output:

~ # whoami
nobody
~ # cat /etc/passwd
nobody:*:0:0:nobody:/:/bin/sh
admin:fakepass:0:0:admin:/:/bin/sh
guest:guest:0:0:guest:/:/bin/sh

There is no /etc/shadow file.

This means that anyone on the local subnet (connected via Wifi at a coffee shop for example) can enable Telnet, and get the password for the web interface.

This is the latest firmware (version V1.0.0.37_1.0.21WW) available for this router.