[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

To: Jeremi Gosney <Jeremi.Gosney@xxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
From: Adrian P <unknown.pentester@xxxxxxxxx>
Date: Tue, 16 Jun 2009 23:58:15 +0100

you would be surprised how many people out there (mistakenly) still
think that only GET requests are CSRFable!

2009/6/16 Jeremi Gosney <Jeremi.Gosney@xxxxxxxxxxxxx>:
> Vladimir: "Where there is an open mind, there will always be a frontier." - 
> Charles Kettering
>
> <form method='post' action='http://192.168.1.1/cgi-bin/firmwarecfg' 
> name='DoS'>
>   <input type='hidden' value=''>
> </form>
> <a href='http://www.google.com' onclick='document.DoS.submit();'>Google</a>
>
>
>
> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Vladimir 
> Dubrovin
> Sent: Tuesday, June 16, 2009 9:43 AM
> To: sr.
> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
>
> Dear sr.,
>
>  clicking  on  the  link can not produce POST request, only GET, unless
>  there   are   some   special   conditions,   like  crossite  scripting
>  vulnerability in the router.
>
> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote 
> DoS Vulnerability to full-disclosure@xxxxxxxxxxxxxxxxx;
>
> s> it could still be carried out remotely by obfuscating a link sent to the
> s> "admin" of the device. this would obviously rely on the admin clicking on
> s> the link, and is more of a phishing / social engineering style attack. this
> s> would also rely on the router being setup with all of the default internal
> s> LAN ip's.
>
> s> sr.
>
>
> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@xxxxxxxxxxxxxxxx>
>
>>> Dear Tom Neaves,
>>>
>>>  It  still can be exploited from Internet even if "remote management" is
>>> only  accessible  from local network. If you can trick user to visit Web
>>> page,  you  can  place  a  form on this page which targets to router and
>>> request to router is issued from victim's browser.
>>>
>>>
>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@xxxxxxxxx:
>>>
>>> TN> Hi.
>>>
>>> TN> I see where you're going but I think you're missing the point a little.
>>>  By
>>> TN> *default* the web interface is enabled on the LAN and accessible by
>>> anyone
>>> TN> on that LAN and the "remote management" interface (for the Internet) is
>>> TN> turned off.  If the "remote management" interface was enabled, stopping
>>> ICMP
>>> TN> echo responses would not resolve this issue at all, turning the
>>> interface
>>> TN> off would do though (or restricting by IP, ...ack).  The "remote
>>> management"
>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no
>>> amount of
>>> TN> dropping ICMP goodness will help with this.  Anyhow, I am happy to
>>> discuss
>>> TN> this off list with you if its still not clear to save spamming
>>> everyone's
>>> TN> inboxes. :o)
>>>
>>> TN> Tom
>>>
>>> TN> ----- Original Message -----
>>> TN> From: Alaa El yazghi
>>> TN> To: Tom Neaves
>>> TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
>>> TN> Sent: Monday, June 15, 2009 11:03 PM
>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>
>>>
>>> TN> I know and I understand. What I wanted to mean is that we can not
>>> eventually
>>> TN> acces to the web interface of a netgear router remotely if we cannot
>>> localy.
>>> TN> As for the DoS, it is simple to solve  such attack from outside. We
>>> just
>>> TN> disable receiving pings (There is actually an option in even the lowest
>>> TN> series) and thus, we would be able to have a remote management without
>>> ICMP
>>> TN> requests.
>>>
>>>
>>>
>>> TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>
>>>
>>> TN> Hi.
>>>
>>> TN> I'm not quite sure of your question...
>>>
>>> TN> The DoS can be carried out remotely, however one mitigating factor
>>> (which
>>> TN> makes it a low risk as opposed to sirens and alarms...) is that its
>>> turned
>>> TN> off by default - you have to explicitly enable it under "Remote
>>> Management"
>>> TN> on the device if you want to access it/carry out the DoS over the
>>> Internet.
>>> TN> However, it is worth noting that anyone on your LAN can *remotely*
>>> carry out
>>> TN> this attack regardless of this management feature being on/off.
>>>
>>> TN> I hope this clarifies it for you.
>>>
>>> TN> Tom
>>> TN> ----- Original Message -----
>>> TN> From: Alaa El yazghi
>>> TN> To: Tom Neaves
>>> TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
>>> TN> Sent: Monday, June 15, 2009 10:45 PM
>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>
>>>
>>> TN> How can it be carried out remotely if it bugs localy?
>>>
>>>
>>> TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>
>>>
>>> TN> Product Name: Netgear DG632 Router
>>> TN> Vendor: http://www.netgear.com
>>> TN> Date: 15 June, 2009
>>> TN> Author: tom@xxxxxxxxxxxxxxx <tom@xxxxxxxxxxxxxxx>
>>> TN> Original URL:
>>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
>>> TN> Discovered: 18 November, 2006
>>> TN> Disclosed: 15 June, 2009
>>>
>>> TN> I. DESCRIPTION
>>>
>>> TN> The Netgear DG632 router has a web interface which runs on port 80.
>>>  This
>>> TN> allows an admin to login and administer the device's settings.
>>>  However,
>>> TN> a Denial of Service (DoS) vulnerability exists that causes the web
>>> interface
>>> TN> to crash and stop responding to further requests.
>>>
>>> TN> II. DETAILS
>>>
>>> TN> Within the "/cgi-bin/" directory of the administrative web interface
>>> exists
>>> TN> a
>>> TN> file called "firmwarecfg".  This file is used for firmware upgrades.  A
>>> HTTP
>>> TN> POST
>>> TN> request for this file causes the web server to hang.  The web server
>>> will
>>> TN> stop
>>> TN> responding to requests and the administrative interface will become
>>> TN> inaccessible
>>> TN> until the router is physically restarted.
>>>
>>> TN> While the router will still continue to function at the network level,
>>> i.e.
>>> TN> it will
>>> TN> still respond to ICMP echo requests and issue leases via DHCP, an
>>> TN> administrator will
>>> TN> no longer be able to interact with the administrative web interface.
>>>
>>> TN> This attack can be carried out internally within the network, or over
>>> the
>>> TN> Internet
>>> TN> if the administrator has enabled the "Remote Management" feature on the
>>> TN> router.
>>>
>>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown)
>>>
>>> TN> III. VENDOR RESPONSE
>>>
>>> TN> 12 June, 2009 - Contacted vendor.
>>> TN> 15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life
>>> TN> product and is no
>>> TN> longer supported in a production and development sense, as such, there
>>> will
>>> TN> be no further
>>> TN> firmware releases to resolve this issue.
>>>
>>> TN> IV. CREDIT
>>>
>>> TN> Discovered by Tom Neaves
>>>
>>> TN> _______________________________________________
>>> TN> Full-Disclosure - We believe in it.
>>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> TN> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>> --
>>> Skype: Vladimir.Dubrovin
>>> ~/ZARAZA http://securityvulns.com/
>>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
>>> поверили. (Твен)
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>
>
>
> --
>   Vladimir Dubrovin           Systems Engineer
>  http://nnov.stream.ru             Stream-TV
> http://securityvulns.ru     Nizhny Novgorod, Russia
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Vladimir '3APA3A' Dubrovin

References:
- [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Tom Neaves
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Alaa El yazghi
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Tom Neaves
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Alaa El yazghi
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Tom Neaves
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Vladimir '3APA3A' Dubrovin
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: sr.
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Vladimir Dubrovin
- Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
  - From: Jeremi Gosney

Prev by Date: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Next by Date: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Previous by thread: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Next by thread: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Index(es):
- Date
- Thread