[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
- To: "Vladimir '3APA3A' Dubrovin" <3APA3A@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
- From: Adrian P <unknown.pentester@xxxxxxxxx>
- Date: Wed, 17 Jun 2009 09:08:02 +0100
3APA3A,
I was actually *agreeing* with you! lols. I think something got lost
in translation! Sorry if I confused anyone really.
Good luck.
2009/6/17 Vladimir '3APA3A' Dubrovin <3APA3A@xxxxxxxxxxxxxxxx>:
> Adrian,
>
> If you can execute javascript - what is a reason to wait for user to
> click the link? The message I reply stated there is no need to force
> user to visit Web page and clicking the obfuscated link _sent_ to
> admin is enougth. I replied in this case only GET request is possible.
> Read the thread carefully before making conclusions.
>
>
> --Wednesday, June 17, 2009, 2:58:15 AM, you wrote to
> Jeremi.Gosney@xxxxxxxxxxxxx:
>
> AP> you would be surprised how many people out there (mistakenly) still
> AP> think that only GET requests are CSRFable!
>
> AP> 2009/6/16 Jeremi Gosney <Jeremi.Gosney@xxxxxxxxxxxxx>:
>>> Vladimir: "Where there is an open mind, there will always be a frontier." -
>>> Charles Kettering
>>>
>>> <form method='post'
>>> action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'>
>>> <input type='hidden' value=''>
>>> </form>
>>> <a href='http://www.google.com'
>>> onclick='document.DoS.submit();'>Google</a>
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>>> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of
>>> Vladimir Dubrovin
>>> Sent: Tuesday, June 16, 2009 9:43 AM
>>> To: sr.
>>> Cc: full-disclosure@xxxxxxxxxxxxxxxxx
>>> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
>>>
>>> Dear sr.,
>>>
>>> clicking on the link can not produce POST request, only GET, unless
>>> there are some special conditions, like crossite scripting
>>> vulnerability in the router.
>>>
>>> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632
>>> Router Remote DoS Vulnerability to full-disclosure@xxxxxxxxxxxxxxxxx;
>>>
>>> s> it could still be carried out remotely by obfuscating a link sent to the
>>> s> "admin" of the device. this would obviously rely on the admin clicking on
>>> s> the link, and is more of a phishing / social engineering style attack.
>>> this
>>> s> would also rely on the router being setup with all of the default
>>> internal
>>> s> LAN ip's.
>>>
>>> s> sr.
>>>
>>>
>>> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@xxxxxxxxxxxxxxxx>
>>>
>>>>> Dear Tom Neaves,
>>>>>
>>>>> It still can be exploited from Internet even if "remote management" is
>>>>> only accessible from local network. If you can trick user to visit Web
>>>>> page, you can place a form on this page which targets to router and
>>>>> request to router is issued from victim's browser.
>>>>>
>>>>>
>>>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@xxxxxxxxx:
>>>>>
>>>>> TN> Hi.
>>>>>
>>>>> TN> I see where you're going but I think you're missing the point a
>>>>> little.
>>>>> By
>>>>> TN> *default* the web interface is enabled on the LAN and accessible by
>>>>> anyone
>>>>> TN> on that LAN and the "remote management" interface (for the Internet)
>>>>> is
>>>>> TN> turned off. If the "remote management" interface was enabled,
>>>>> stopping
>>>>> ICMP
>>>>> TN> echo responses would not resolve this issue at all, turning the
>>>>> interface
>>>>> TN> off would do though (or restricting by IP, ...ack). The "remote
>>>>> management"
>>>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no
>>>>> amount of
>>>>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to
>>>>> discuss
>>>>> TN> this off list with you if its still not clear to save spamming
>>>>> everyone's
>>>>> TN> inboxes. :o)
>>>>>
>>>>> TN> Tom
>>>>>
>>>>> TN> ----- Original Message -----
>>>>> TN> From: Alaa El yazghi
>>>>> TN> To: Tom Neaves
>>>>> TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ;
>>>>> full-disclosure@xxxxxxxxxxxxxxxxx
>>>>> TN> Sent: Monday, June 15, 2009 11:03 PM
>>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>>>
>>>>>
>>>>> TN> I know and I understand. What I wanted to mean is that we can not
>>>>> eventually
>>>>> TN> acces to the web interface of a netgear router remotely if we cannot
>>>>> localy.
>>>>> TN> As for the DoS, it is simple to solve such attack from outside. We
>>>>> just
>>>>> TN> disable receiving pings (There is actually an option in even the
>>>>> lowest
>>>>> TN> series) and thus, we would be able to have a remote management without
>>>>> ICMP
>>>>> TN> requests.
>>>>>
>>>>>
>>>>>
>>>>> TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>
>>>>>
>>>>> TN> Hi.
>>>>>
>>>>> TN> I'm not quite sure of your question...
>>>>>
>>>>> TN> The DoS can be carried out remotely, however one mitigating factor
>>>>> (which
>>>>> TN> makes it a low risk as opposed to sirens and alarms...) is that its
>>>>> turned
>>>>> TN> off by default - you have to explicitly enable it under "Remote
>>>>> Management"
>>>>> TN> on the device if you want to access it/carry out the DoS over the
>>>>> Internet.
>>>>> TN> However, it is worth noting that anyone on your LAN can *remotely*
>>>>> carry out
>>>>> TN> this attack regardless of this management feature being on/off.
>>>>>
>>>>> TN> I hope this clarifies it for you.
>>>>>
>>>>> TN> Tom
>>>>> TN> ----- Original Message -----
>>>>> TN> From: Alaa El yazghi
>>>>> TN> To: Tom Neaves
>>>>> TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ;
>>>>> full-disclosure@xxxxxxxxxxxxxxxxx
>>>>> TN> Sent: Monday, June 15, 2009 10:45 PM
>>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>>>
>>>>>
>>>>> TN> How can it be carried out remotely if it bugs localy?
>>>>>
>>>>>
>>>>> TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>
>>>>>
>>>>> TN> Product Name: Netgear DG632 Router
>>>>> TN> Vendor: http://www.netgear.com
>>>>> TN> Date: 15 June, 2009
>>>>> TN> Author: tom@xxxxxxxxxxxxxxx <tom@xxxxxxxxxxxxxxx>
>>>>> TN> Original URL:
>>>>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
>>>>> TN> Discovered: 18 November, 2006
>>>>> TN> Disclosed: 15 June, 2009
>>>>>
>>>>> TN> I. DESCRIPTION
>>>>>
>>>>> TN> The Netgear DG632 router has a web interface which runs on port 80.
>>>>> This
>>>>> TN> allows an admin to login and administer the device's settings.
>>>>> However,
>>>>> TN> a Denial of Service (DoS) vulnerability exists that causes the web
>>>>> interface
>>>>> TN> to crash and stop responding to further requests.
>>>>>
>>>>> TN> II. DETAILS
>>>>>
>>>>> TN> Within the "/cgi-bin/" directory of the administrative web interface
>>>>> exists
>>>>> TN> a
>>>>> TN> file called "firmwarecfg". This file is used for firmware upgrades.
>>>>> A
>>>>> HTTP
>>>>> TN> POST
>>>>> TN> request for this file causes the web server to hang. The web server
>>>>> will
>>>>> TN> stop
>>>>> TN> responding to requests and the administrative interface will become
>>>>> TN> inaccessible
>>>>> TN> until the router is physically restarted.
>>>>>
>>>>> TN> While the router will still continue to function at the network level,
>>>>> i.e.
>>>>> TN> it will
>>>>> TN> still respond to ICMP echo requests and issue leases via DHCP, an
>>>>> TN> administrator will
>>>>> TN> no longer be able to interact with the administrative web interface.
>>>>>
>>>>> TN> This attack can be carried out internally within the network, or over
>>>>> the
>>>>> TN> Internet
>>>>> TN> if the administrator has enabled the "Remote Management" feature on
>>>>> the
>>>>> TN> router.
>>>>>
>>>>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown)
>>>>>
>>>>> TN> III. VENDOR RESPONSE
>>>>>
>>>>> TN> 12 June, 2009 - Contacted vendor.
>>>>> TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life
>>>>> TN> product and is no
>>>>> TN> longer supported in a production and development sense, as such, there
>>>>> will
>>>>> TN> be no further
>>>>> TN> firmware releases to resolve this issue.
>>>>>
>>>>> TN> IV. CREDIT
>>>>>
>>>>> TN> Discovered by Tom Neaves
>>>>>
>>>>> TN> _______________________________________________
>>>>> TN> Full-Disclosure - We believe in it.
>>>>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> TN> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>>
>>>>> --
>>>>> Skype: Vladimir.Dubrovin
>>>>> ~/ZARAZA http://securityvulns.com/
>>>>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в
>>>>> них
>>>>> поверили. (Твен)
>>>>>
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>
>>>
>>>
>>> --
>>> Vladimir Dubrovin Systems Engineer
>>> http://nnov.stream.ru Stream-TV
>>> http://securityvulns.ru Nizhny Novgorod, Russia
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>
> AP> _______________________________________________
> AP> Full-Disclosure - We believe in it.
> AP> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> AP> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> --
> Skype: Vladimir.Dubrovin
> ~/ZARAZA http://securityvulns.com/
> Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/