The Netgear WNDR4700 router is susceptible to an authentication bypass attack. Without providing credentials, an attacker on the LAN can access a specific page on this router's embedded web server that permanently breaks authentication on the device (until factory reset). Once this attack is performed, anyone on the local network can access the router's administration interface without providing a username or password. This same attack is possible from the WAN if remote management has been enabled. Administrators should disable remote management immediately.
By default remote management of the WNDR4700 is not enabled, but remote take over of the WNDR4700 may still be possible (though was not confirmed). The firmware on the WNDR4700 takes countermeasures to protect against cross-site request forgery in the form of anti-forgery tokens. In another Netgear router we evaluated, we found that the CSRF tokens were poorly chosen, and could be guessed easily by a remote adversary. We did not investigate what algorithm is used to generate tokens on the WNDR4700, but the inability to perform cross-site request forgery prevents this authentication bypass from escalating to a full, remote compromise without an alternative attack method.
The full attack is performed by simply accessing the page:
http://[router_ip]/BRS_03B_haveBackupFile_fileRestore.html where [router_ip] is the IP address of the router. After accessing this page, the WNDR4700 no longer requires a username or password to access the administrative interface. This persists even when the router is power cycled, and can only be remedied by a reset to factory default settings.
The Netgear telnetenable utility is another method to gain access to the router, but is not necessary for this attack.
A successful attack exploiting this vulnerability can give a local adversary full control of the victim router.