Netgear RAX43 version 1.0.3.96 makes use of hardcoded credentials. It does not appear that normal users are intended to be able to manipulate configuration backups due to the fact that they are encrypted. This encryption is accomplished via a password-protected zip file with a hardcoded password (RAX50w!a4udk). By unzipping the configuration using this password, a user can reconfigure settings not intended to be manipulated, re-zip the configuration, and restore a backup causing these settings to be changed.
Netgear RAX43 routers are vulnerable to a critical security flaw due to the use of hardcoded credentials for configuration backups. This allows attackers to remotely compromise the router by extracting, modifying, and re-injecting configuration settings, potentially leading to complete control of the device and network traffic interception.
Step 1: Target Identification: Identify a vulnerable Netgear RAX43 router running firmware version 1.0.3.96.
Step 2: Backup Extraction: Obtain a backup of the router's configuration. This can be achieved through the router's web interface or potentially through other network access points.
Step 3: Archive Decryption: Unzip the configuration backup file using the hardcoded password: RAX50w!a4udk.
Step 4: Configuration Modification: Edit the extracted configuration files. This may involve changing DNS settings to point to malicious servers, altering administrative passwords, or enabling remote access.
Step 5: Archive Re-encryption: Re-zip the modified configuration files using the same hardcoded password: RAX50w!a4udk.
Step 6: Configuration Restoration: Upload and restore the modified configuration backup through the router's web interface.
Step 7: System Compromise: The router now operates with the attacker's modified configuration, enabling network traffic redirection, administrative access, or other malicious activities.
The vulnerability stems from the flawed implementation of configuration backup and restore functionality. The router uses a password-protected ZIP archive for backups, but the password is hardcoded (RAX50w!a4udk). This eliminates the security provided by the password protection. The router's firmware likely contains code that uses this hardcoded password to encrypt and decrypt the configuration files. An attacker can exploit this by extracting the configuration, modifying sensitive settings (e.g., DNS servers, administrative passwords), re-zipping the configuration with the same hardcoded password, and then restoring the modified backup. This allows for remote configuration manipulation and potential network compromise.