Slashdot Mirror

← Back to Stories (view on slashdot.org)

NetGear Also Has Remote Access Wide Open

Posted by CowboyNeal on from the hotspot-back-doors dept.

Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."

8 of 215 comments (clear)

  1. Fixed in new firmware, available here: by Anonymous Coward · · Score: 5, Informative

    http://kbserver.netgear.com/support_details.asp?dn ldID=735

    1. Re:Fixed in new firmware, available here: by Chucky+B.+Bear · · Score: 5, Informative
      I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.

      (You can find it yourselve by just taking similiar steps as in the securityfoces article.)

  2. Re:huh? by RidiculousPie · · Score: 4, Informative
    This vulnerability can be exploited by any person which is able to reach the webinterface of the device with a webbrowser.
    It would appear that if the webinterface is disabled, the device cannot be compromised.
    --
    ah, mod points ... now where is my crack?
  3. linked properly for the lazy by Anonymous Coward · · Score: 5, Informative

    Netgear Firmware Upgrade

  4. Re:Possibilities. by alexatrit · · Score: 5, Informative

    I stand corrected, here.

    "The only way to clear the BIOS password is with a Master Reset Password provided by Dell for that Model No. and they will not give you the master unless you can give them the name. address and telephone of the registered owner. However the password is universal for all laps with the same model no., so if you know someone who is a registered owner, you can call Dell and get the master."

    Reference here. That being said, the master for an Inspiron 5000 is BLVJCH. Booyah!

    --

    Nothing but the finest in meaningless drivel
  5. It's a feature, not a bug. by gumpish · · Score: 5, Informative

    The URL is "mangled" for people browsing with mobile devices. The space is added so tiny displays can word wrap the text. (And also so crapflooders can't make your horizontal scroll bar appear.)

    Personally I think the number of people using such browsers is probably so small that there is no justification for this "feature", but since Slashdot isn't likely to change, URLs should be submitted as proper links and not just plan text.

  6. Take my advice by Q2Serpent · · Score: 4, Informative

    I know this is a huge problem for the general public, but for those of us with a linux machine, do what I do and save yourself some trouble: put two network cards in the linux machine. Connect one to the internet and the other to your wireless router's normal ethernet ports (don't use the port that is supposed to be for the internet). Then, just set up your linux firewall/NAT, and you get all the benefits of wireless and a wired hub on the inside, with a linux machine doing the routing/firewalling for security from the outside. Since the router isn't on the net, no one can even touch it.

  7. Re:The problem of convinience by Harodotus · · Score: 4, Informative

    Smoothwall is exactly that, a custom Linux distro with boot-from-cd install that only requires you to hit "enter" a couple dozen times to turn any old 2 nic pc into a pre-configured modern firewall with internal NAT and DHCP.


    I use it and find it very handy (lots of old PC hardware about)

    --
    Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.