# Title: Netgear DGN2200, DGND3700 and WNDR4500 Multiple Information Disclosure Vulnerabilities # Author: Mandar jadhav # Vendor Homepage: https://www.netgear.com/ # CVE's : CVE-2016-5649, CVE-2016-5638 1. Admin password disclosure (CVE-2016-5649) A vulnerability is in the 'BSW_cxttongr.htm' page which can allow a remote attacker to access this page without any authentication. When processed, it exposes adminas password in clear text before it gets redirected to absw_vfysucc.cgia. An attacker can use this password to gain administrator access of the targeted routeras web interface. Affected Models: Netgear DGN2200 running firmware version DGN2200-V1.0.0.50_7.0.50 Netgear DGND3700 running firmware version DGND3700-V1.0.0.17_1.0.17 Solution: Netgear has released firmware version 1.0.0.52 for DGN2200 & 1.0.0.28 for DGND3700 to address this issue 2. SSID & wireless key Disclosure (CVE-2016-5638) There are few web pages associated with the genie app. Genie app adds some capabilities over the Web GUI and can be accessed even when you are away from home. A remote attacker can access genie_ping.htm or genie_ping2.htm or genie_ping3.htm page without authentication. Once accessed, the page will be redirected to the aCongratulations2.htma page, which reveals some sensitive information such as 2.4GHz & 5GHz Wireless Network Name (SSID) and Network Key (Password) in clear text. Affected Models: Netgear WNDR4500 running firmware version V1.0.1.40_1.0.68 Solution: WNDR4500v1 has reached the End of Life so Netgear wonat be releasing any updates for this. ## History 23.06.2016 - Initial contact to Netgear 24.06.2016 - Reported all details to Netgear 01.07.2016 - Email sent to Netgear asking for status update, no response 14.07.2016 - Email sent to Netgear asking for status update, no response 26.07.2016 - Netgear confirms findings 31.08.2016 - Email sent to Netgear asking for status update 02.09.2016 - Received reply from Netgear that they will be releasing a fix for this 23.12.2016 - Netgear informs that vulnerability has been fixed in the new version Thanks, Mandar # Iranian Exploit DataBase = http://IeDb.Ir [2017-01-05]