I tried this on Netgear RP614 router (4-port dsl, not wireless, never upgraded firmware). I tried a password with a space in it, but it didnt work. I pulled the plug for about 24 hours, and it still doesnt accept the default password. Looks like it isnt a generell problem. But would be interessting on which devices it works. regards, alex2308 (sorry for my bad english) ----- Original Message ----- From: "Jon Kamm @hotmail" <jonkamm@hotmail.com> To: <bugtraq@securityfocus.com> Sent: Wednesday, December 10, 2003 1:09 AM Subject: NetGear WAB102 > The NetGear WAB102 (running firmware v1.2.3) is a dual band wireless access > point. After a recent power outage I noticed that the unit reset its > password to the default of '1234'. Obviously this makes it possible for > someone to reconfigured it meet their needs... a significant security risk. > After further testing I discovered that any password with a space in it will > be accepted and will work as long as the unit is not powered off or reset. > Once reset it reverts to the default password. All other settings remain > intact, WEP keys, IP addresses, etc. I found it particularly interesting > that you don't even have to login to the unit to get a list of wireless > stations accessing the unit ... makes it real easy to gather MAC addresses > to spoof. > > NetGear notified a few days ago, they suggested I update the firmware to the > latest... it was already running it but I did it again for good measure... > no change. Other units may be affected. > > Jon Kamm > NetKamm LLC >
