I have mentioned odd postings to bugtraq before. Today, one “gsuberland” added to the canon with a gem about the Netgear WGR614 wireless router. He says in his post that he has been “reverse engineering” this router. Now for most bugtraq posters (and readers) this would mean that he has been disassembling the firmware. But no, Mr “gsuberland” has actually been pulling apart the hardware.
After disassembling the device and identifying the components, I noticed that the firmware and all settings are stored on a
single EEPROM (flash) chip, specifically a Macronix MX25L1605 SPI 16Mbit EEPROM. Other variants of the device may
use slightly different chips, but they all seem to use SPI EEPROMs with identical I/O commands. I de-soldered the IC and
hooked it up to a BusPirate, and used it to extract the entire contents of the chip.
He went on to say
I quickly discovered two interesting things:
First, I found a hard-coded credential used for direct serial programming. Using it requires direct physical access and you
have to solder wires onto the board. Despite this not being particularly interesting, this issue has been assigned as
CVE-2012-6340 anyway. It’s always good to have the information out there.
Oh yes. Indeed it is.
Second, I noticed that there were multiple copies of my config file, and all passwords (for both control panel and wifi) within
them are plain-text. It turns out that, in order to prevent config file corruption, the router re-generates the entire config file
and writes a new copy directly after the previous one. It then activates the new config, and soft-deletes the old file by
removing its entry from a list. Once you’ve changed the config several times (about 11 on this device), it hits the end of the
flash chip’s storage and cycles back to the original address. However, it does not actually wipe the old config files.
This issue, assigned CVE-2012-6341, results in the ability to recover all previously used passwords on the device, for both
the control panel and WEP/WPA/WPA2, in plaintext. A factory reset does not fix this; it simply restores a default config file
onto the lower address.
Now the best bit.
As such, an attacker who steals the device may recover the last-used passwords and config, as well as many previous
passwords and configuration data. There also seems to be some storage of DHCP client information, but the data I have is
inconclusive due to it being partially overwritten.
Now I can see that it is not good that Netgear should store passwords in clear. But if the only way anyone can get these passwords is to physically steal my router and pull it apart, I might notice that it had gone. Moreover, the stolen passwords could not be used in a remote attack against me because I no longer have the damned thing.