[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability



it could still be carried out remotely by obfuscating a link sent to the
"admin" of the device. this would obviously rely on the admin clicking on
the link, and is more of a phishing / social engineering style attack. this
would also rely on the router being setup with all of the default internal
LAN ip's.

sr.


2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@xxxxxxxxxxxxxxxx>

> Dear Tom Neaves,
>
>  It  still can be exploited from Internet even if "remote management" is
> only  accessible  from local network. If you can trick user to visit Web
> page,  you  can  place  a  form on this page which targets to router and
> request to router is issued from victim's browser.
>
>
> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@xxxxxxxxx:
>
> TN> Hi.
>
> TN> I see where you're going but I think you're missing the point a little.
>  By
> TN> *default* the web interface is enabled on the LAN and accessible by
> anyone
> TN> on that LAN and the "remote management" interface (for the Internet) is
> TN> turned off.  If the "remote management" interface was enabled, stopping
> ICMP
> TN> echo responses would not resolve this issue at all, turning the
> interface
> TN> off would do though (or restricting by IP, ...ack).  The "remote
> management"
> TN> (love those quotes...) interface speaks over HTTP hence TCP so no
> amount of
> TN> dropping ICMP goodness will help with this.  Anyhow, I am happy to
> discuss
> TN> this off list with you if its still not clear to save spamming
> everyone's
> TN> inboxes. :o)
>
> TN> Tom
>
> TN> ----- Original Message -----
> TN> From: Alaa El yazghi
> TN> To: Tom Neaves
> TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
> TN> Sent: Monday, June 15, 2009 11:03 PM
> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>
>
> TN> I know and I understand. What I wanted to mean is that we can not
> eventually
> TN> acces to the web interface of a netgear router remotely if we cannot
> localy.
> TN> As for the DoS, it is simple to solve  such attack from outside. We
> just
> TN> disable receiving pings (There is actually an option in even the lowest
> TN> series) and thus, we would be able to have a remote management without
> ICMP
> TN> requests.
>
>
>
> TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>
>
> TN> Hi.
>
> TN> I'm not quite sure of your question...
>
> TN> The DoS can be carried out remotely, however one mitigating factor
> (which
> TN> makes it a low risk as opposed to sirens and alarms...) is that its
> turned
> TN> off by default - you have to explicitly enable it under "Remote
> Management"
> TN> on the device if you want to access it/carry out the DoS over the
> Internet.
> TN> However, it is worth noting that anyone on your LAN can *remotely*
> carry out
> TN> this attack regardless of this management feature being on/off.
>
> TN> I hope this clarifies it for you.
>
> TN> Tom
> TN> ----- Original Message -----
> TN> From: Alaa El yazghi
> TN> To: Tom Neaves
> TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
> TN> Sent: Monday, June 15, 2009 10:45 PM
> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>
>
> TN> How can it be carried out remotely if it bugs localy?
>
>
> TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>
>
> TN> Product Name: Netgear DG632 Router
> TN> Vendor: http://www.netgear.com
> TN> Date: 15 June, 2009
> TN> Author: tom@xxxxxxxxxxxxxxx <tom@xxxxxxxxxxxxxxx>
> TN> Original URL:
> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
> TN> Discovered: 18 November, 2006
> TN> Disclosed: 15 June, 2009
>
> TN> I. DESCRIPTION
>
> TN> The Netgear DG632 router has a web interface which runs on port 80.
>  This
> TN> allows an admin to login and administer the device's settings.
>  However,
> TN> a Denial of Service (DoS) vulnerability exists that causes the web
> interface
> TN> to crash and stop responding to further requests.
>
> TN> II. DETAILS
>
> TN> Within the "/cgi-bin/" directory of the administrative web interface
> exists
> TN> a
> TN> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP
> TN> POST
> TN> request for this file causes the web server to hang.  The web server
> will
> TN> stop
> TN> responding to requests and the administrative interface will become
> TN> inaccessible
> TN> until the router is physically restarted.
>
> TN> While the router will still continue to function at the network level,
> i.e.
> TN> it will
> TN> still respond to ICMP echo requests and issue leases via DHCP, an
> TN> administrator will
> TN> no longer be able to interact with the administrative web interface.
>
> TN> This attack can be carried out internally within the network, or over
> the
> TN> Internet
> TN> if the administrator has enabled the "Remote Management" feature on the
> TN> router.
>
> TN> Affected Versions: Firmware V3.4.0_ap (others unknown)
>
> TN> III. VENDOR RESPONSE
>
> TN> 12 June, 2009 - Contacted vendor.
> TN> 15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life
> TN> product and is no
> TN> longer supported in a production and development sense, as such, there
> will
> TN> be no further
> TN> firmware releases to resolve this issue.
>
> TN> IV. CREDIT
>
> TN> Discovered by Tom Neaves
>
> TN> _______________________________________________
> TN> Full-Disclosure - We believe in it.
> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> TN> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
> Skype: Vladimir.Dubrovin
> ~/ZARAZA http://securityvulns.com/
> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
> поверили. (Твен)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/