[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
From: "Jeremi Gosney" <Jeremi.Gosney@xxxxxxxxxxxxx>
Date: Tue, 16 Jun 2009 11:10:49 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

and as previously stated, if you have 'remote management' enabled then you are 
truly vulnerable to outside threats. csrf works as well. but an attack carried 
out on the LAN would still be considered a remote attack; although, you'd 
likely be within arm's reach of the attacker, so you'd know who to punch in the 
nose when the web server stopped responding. both vectors are considered 
'remote' since the attacker is not legitimately authenticated to the system.


- -------------

From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of sr.
Sent: Tuesday, June 16, 2009 8:17 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

it could still be carried out remotely by obfuscating a link sent to the 
"admin" of the device. this would obviously rely on the admin clicking on the 
link, and is more of a phishing / social engineering style attack. this would 
also rely on the router being setup with all of the default internal LAN ip's.

sr.

2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@xxxxxxxxxxxxxxxx> Dear Tom Neaves,

 It  still can be exploited from Internet even if "remote management" is only  
accessible  from local network. If you can trick user to visit Web page,  you  
can  place  a  form on this page which targets to router and request to router 
is issued from victim's browser.


- --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@xxxxxxxxx:

TN> Hi.

TN> I see where you're going but I think you're missing the point a 
TN> little.  By
TN> *default* the web interface is enabled on the LAN and accessible by 
TN> anyone on that LAN and the "remote management" interface (for the
TN> Internet) is turned off.  If the "remote management" interface was 
TN> enabled, stopping ICMP echo responses would not resolve this issue 
TN> at all, turning the interface off would do though (or restricting by IP, 
...ack).  The "remote management"
TN> (love those quotes...) interface speaks over HTTP hence TCP so no 
TN> amount of dropping ICMP goodness will help with this.  Anyhow, I am 
TN> happy to discuss this off list with you if its still not clear to 
TN> save spamming everyone's inboxes. :o)

TN> Tom

TN> ----- Original Message -----
TN> From: Alaa El yazghi
TN> To: Tom Neaves
TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
TN> Sent: Monday, June 15, 2009 11:03 PM
TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


TN> I know and I understand. What I wanted to mean is that we can not 
TN> eventually acces to the web interface of a netgear router remotely if we 
cannot localy.
TN> As for the DoS, it is simple to solve  such attack from outside. We 
TN> just disable receiving pings (There is actually an option in even 
TN> the lowest
TN> series) and thus, we would be able to have a remote management 
TN> without ICMP requests.



TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>

TN> Hi.

TN> I'm not quite sure of your question...

TN> The DoS can be carried out remotely, however one mitigating factor 
TN> (which makes it a low risk as opposed to sirens and alarms...) is 
TN> that its turned off by default - you have to explicitly enable it under 
"Remote Management"
TN> on the device if you want to access it/carry out the DoS over the Internet.
TN> However, it is worth noting that anyone on your LAN can *remotely* 
TN> carry out this attack regardless of this management feature being on/off.

TN> I hope this clarifies it for you.

TN> Tom
TN> ----- Original Message -----
TN> From: Alaa El yazghi
TN> To: Tom Neaves
TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
TN> Sent: Monday, June 15, 2009 10:45 PM
TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


TN> How can it be carried out remotely if it bugs localy?


TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>

TN> Product Name: Netgear DG632 Router
TN> Vendor: http://www.netgear.com
TN> Date: 15 June, 2009
TN> Author: tom@xxxxxxxxxxxxxxx <tom@xxxxxxxxxxxxxxx> Original URL:
TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
TN> Discovered: 18 November, 2006
TN> Disclosed: 15 June, 2009

TN> I. DESCRIPTION

TN> The Netgear DG632 router has a web interface which runs on port 80. 
TN> This allows an admin to login and administer the device's settings.
TN> However, a Denial of Service (DoS) vulnerability exists that causes 
TN> the web interface to crash and stop responding to further requests.

TN> II. DETAILS

TN> Within the "/cgi-bin/" directory of the administrative web interface 
TN> exists a file called "firmwarecfg".  This file is used for firmware 
TN> upgrades.  A HTTP POST request for this file causes the web server 
TN> to hang.  The web server will stop responding to requests and the 
TN> administrative interface will become inaccessible until the router 
TN> is physically restarted.

TN> While the router will still continue to function at the network level, i.e.
TN> it will
TN> still respond to ICMP echo requests and issue leases via DHCP, an 
TN> administrator will no longer be able to interact with the 
TN> administrative web interface.

TN> This attack can be carried out internally within the network, or 
TN> over the Internet if the administrator has enabled the "Remote 
TN> Management" feature on the router.

TN> Affected Versions: Firmware V3.4.0_ap (others unknown)

TN> III. VENDOR RESPONSE

TN> 12 June, 2009 - Contacted vendor.
TN> 15 June, 2009 - Vendor responded.  Stated the DG632 is an end of 
TN> life product and is no longer supported in a production and 
TN> development sense, as such, there will be no further firmware 
TN> releases to resolve this issue.

TN> IV. CREDIT

TN> Discovered by Tom Neaves

TN> _______________________________________________
TN> Full-Disclosure - We believe in it.
TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
TN> Hosted and sponsored by Secunia - http://secunia.com/


- --
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них 
поверили. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAko34B8ACgkQIBHDN8vm6zunxgCcCPmJIYu8B/BAsxyowPAGXqxm
bxsAoJ91QWPH8AZuIAwhC7aI95yaTp5m
=NgL1
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Tom Neaves
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Alaa El yazghi
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Tom Neaves
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Alaa El yazghi
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Tom Neaves
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Vladimir '3APA3A' Dubrovin
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: sr.

Prev by Date: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Next by Date: [Full-disclosure] WinAppDbg version 1.2 is out!
Previous by thread: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Next by thread: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Index(es):
- Date
- Thread