[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
- To: Adrian P <unknown.pentester@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
- From: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>
- Date: Wed, 17 Jun 2009 09:07:42 +0400
Adrian,
If you can execute javascript - what is a reason to wait for user to
click the link? The message I reply stated there is no need to force
user to visit Web page and clicking the obfuscated link _sent_ to
admin is enougth. I replied in this case only GET request is possible.
Read the thread carefully before making conclusions.
--Wednesday, June 17, 2009, 2:58:15 AM, you wrote to
Jeremi.Gosney@xxxxxxxxxxxxx:
AP> you would be surprised how many people out there (mistakenly) still
AP> think that only GET requests are CSRFable!
AP> 2009/6/16 Jeremi Gosney <Jeremi.Gosney@xxxxxxxxxxxxx>:
>> Vladimir: "Where there is an open mind, there will always be a frontier." -
>> Charles Kettering
>>
>> <form method='post'
>> action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'>
>> <input type='hidden' value=''>
>> </form>
>> <a href='http://www.google.com'
>> onclick='document.DoS.submit();'>Google</a>
>>
>>
>>
>> -----Original Message-----
>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of
>> Vladimir Dubrovin
>> Sent: Tuesday, June 16, 2009 9:43 AM
>> To: sr.
>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
>>
>> Dear sr.,
>>
>> clicking on the link can not produce POST request, only GET, unless
>> there are some special conditions, like crossite scripting
>> vulnerability in the router.
>>
>> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632
>> Router Remote DoS Vulnerability to full-disclosure@xxxxxxxxxxxxxxxxx;
>>
>> s> it could still be carried out remotely by obfuscating a link sent to the
>> s> "admin" of the device. this would obviously rely on the admin clicking on
>> s> the link, and is more of a phishing / social engineering style attack.
>> this
>> s> would also rely on the router being setup with all of the default internal
>> s> LAN ip's.
>>
>> s> sr.
>>
>>
>> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@xxxxxxxxxxxxxxxx>
>>
>>>> Dear Tom Neaves,
>>>>
>>>> It still can be exploited from Internet even if "remote management" is
>>>> only accessible from local network. If you can trick user to visit Web
>>>> page, you can place a form on this page which targets to router and
>>>> request to router is issued from victim's browser.
>>>>
>>>>
>>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@xxxxxxxxx:
>>>>
>>>> TN> Hi.
>>>>
>>>> TN> I see where you're going but I think you're missing the point a little.
>>>> By
>>>> TN> *default* the web interface is enabled on the LAN and accessible by
>>>> anyone
>>>> TN> on that LAN and the "remote management" interface (for the Internet) is
>>>> TN> turned off. If the "remote management" interface was enabled, stopping
>>>> ICMP
>>>> TN> echo responses would not resolve this issue at all, turning the
>>>> interface
>>>> TN> off would do though (or restricting by IP, ...ack). The "remote
>>>> management"
>>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no
>>>> amount of
>>>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to
>>>> discuss
>>>> TN> this off list with you if its still not clear to save spamming
>>>> everyone's
>>>> TN> inboxes. :o)
>>>>
>>>> TN> Tom
>>>>
>>>> TN> ----- Original Message -----
>>>> TN> From: Alaa El yazghi
>>>> TN> To: Tom Neaves
>>>> TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ;
>>>> full-disclosure@xxxxxxxxxxxxxxxxx
>>>> TN> Sent: Monday, June 15, 2009 11:03 PM
>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>>
>>>>
>>>> TN> I know and I understand. What I wanted to mean is that we can not
>>>> eventually
>>>> TN> acces to the web interface of a netgear router remotely if we cannot
>>>> localy.
>>>> TN> As for the DoS, it is simple to solve such attack from outside. We
>>>> just
>>>> TN> disable receiving pings (There is actually an option in even the lowest
>>>> TN> series) and thus, we would be able to have a remote management without
>>>> ICMP
>>>> TN> requests.
>>>>
>>>>
>>>>
>>>> TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>
>>>>
>>>> TN> Hi.
>>>>
>>>> TN> I'm not quite sure of your question...
>>>>
>>>> TN> The DoS can be carried out remotely, however one mitigating factor
>>>> (which
>>>> TN> makes it a low risk as opposed to sirens and alarms...) is that its
>>>> turned
>>>> TN> off by default - you have to explicitly enable it under "Remote
>>>> Management"
>>>> TN> on the device if you want to access it/carry out the DoS over the
>>>> Internet.
>>>> TN> However, it is worth noting that anyone on your LAN can *remotely*
>>>> carry out
>>>> TN> this attack regardless of this management feature being on/off.
>>>>
>>>> TN> I hope this clarifies it for you.
>>>>
>>>> TN> Tom
>>>> TN> ----- Original Message -----
>>>> TN> From: Alaa El yazghi
>>>> TN> To: Tom Neaves
>>>> TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ;
>>>> full-disclosure@xxxxxxxxxxxxxxxxx
>>>> TN> Sent: Monday, June 15, 2009 10:45 PM
>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>>
>>>>
>>>> TN> How can it be carried out remotely if it bugs localy?
>>>>
>>>>
>>>> TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>
>>>>
>>>> TN> Product Name: Netgear DG632 Router
>>>> TN> Vendor: http://www.netgear.com
>>>> TN> Date: 15 June, 2009
>>>> TN> Author: tom@xxxxxxxxxxxxxxx <tom@xxxxxxxxxxxxxxx>
>>>> TN> Original URL:
>>>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
>>>> TN> Discovered: 18 November, 2006
>>>> TN> Disclosed: 15 June, 2009
>>>>
>>>> TN> I. DESCRIPTION
>>>>
>>>> TN> The Netgear DG632 router has a web interface which runs on port 80.
>>>> This
>>>> TN> allows an admin to login and administer the device's settings.
>>>> However,
>>>> TN> a Denial of Service (DoS) vulnerability exists that causes the web
>>>> interface
>>>> TN> to crash and stop responding to further requests.
>>>>
>>>> TN> II. DETAILS
>>>>
>>>> TN> Within the "/cgi-bin/" directory of the administrative web interface
>>>> exists
>>>> TN> a
>>>> TN> file called "firmwarecfg". This file is used for firmware upgrades. A
>>>> HTTP
>>>> TN> POST
>>>> TN> request for this file causes the web server to hang. The web server
>>>> will
>>>> TN> stop
>>>> TN> responding to requests and the administrative interface will become
>>>> TN> inaccessible
>>>> TN> until the router is physically restarted.
>>>>
>>>> TN> While the router will still continue to function at the network level,
>>>> i.e.
>>>> TN> it will
>>>> TN> still respond to ICMP echo requests and issue leases via DHCP, an
>>>> TN> administrator will
>>>> TN> no longer be able to interact with the administrative web interface.
>>>>
>>>> TN> This attack can be carried out internally within the network, or over
>>>> the
>>>> TN> Internet
>>>> TN> if the administrator has enabled the "Remote Management" feature on the
>>>> TN> router.
>>>>
>>>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown)
>>>>
>>>> TN> III. VENDOR RESPONSE
>>>>
>>>> TN> 12 June, 2009 - Contacted vendor.
>>>> TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life
>>>> TN> product and is no
>>>> TN> longer supported in a production and development sense, as such, there
>>>> will
>>>> TN> be no further
>>>> TN> firmware releases to resolve this issue.
>>>>
>>>> TN> IV. CREDIT
>>>>
>>>> TN> Discovered by Tom Neaves
>>>>
>>>> TN> _______________________________________________
>>>> TN> Full-Disclosure - We believe in it.
>>>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> TN> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>> --
>>>> Skype: Vladimir.Dubrovin
>>>> ~/ZARAZA http://securityvulns.com/
>>>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
>>>> поверили. (Твен)
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>
>>
>>
>> --
>> Vladimir Dubrovin Systems Engineer
>> http://nnov.stream.ru Stream-TV
>> http://securityvulns.ru Nizhny Novgorod, Russia
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
AP> _______________________________________________
AP> Full-Disclosure - We believe in it.
AP> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
AP> Hosted and sponsored by Secunia - http://secunia.com/
--
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/