lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 16 Apr 2003 15:13:11 +0100
From: "{ }" <elaborate_ruse@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Netgear Logging Vulnerability


  Netgear logging vulnerability



  Introduction
  Tested Vulnerable
  Vendor
  Discussion
  PoC
  Stuff


  Introduction

  		There is a problem in the way Netgear routers log outgoing
		HTTP connections which could lead to log corruption as well
		as dangerous character or script injection.

  Tested Vulnerable

  		Model: RP114	Firmware: V3.26

		Though this problem has only been confirmed for the above
		model it is believed other models with the same or similar
		web administration interface will also prove to be
		vulnerable.  This assumption is made due to the similar
		feature descriptions seen at the vendor's web site.

  Vendor

		We have been informed during previous communications with
		Netgear support staff that the RP114 is a "discontinued
		device" and there is no intention by Netgear to patch.
		However, due to the possible cross-model nature of this
		problem Netgear were informed.

		Website:		www.netgear.com
		Support contact:		support@...gear.com
		Date informed:		07.04.03
		First response:		09.04.03
		Action taken:		Referred to a HTML feedback form
		Release date:		16.04.03

		Official vendor response:
		 "Your request may be best addressed at Netgear's Engineer level at this 
link:
		  
http://www.expressresponse.com/cgi-bin/netgear2/displayfile.cgi?displayfile=feedback_form.html&level=main&prodfamily=&product= 
"

		Nothing futher was received from the vendor after the initial
		response (09.04.03).

  Discussion

  		The problem lies in the way the device logs hostnames.

		In the web administration interface the admin has access to
		content filter logs.  The device logs all unique outgoing TCP
		connections with a destination port of 80 by default.  The
		log records things like date and time, source IP address and
		destination host.  Unfortunately, instead of the device
		independently resolving the hostname, the log entry is taken
		from the client supplied HTTP request.

		The HTTP query does not have to be successful for the log to
		be written, meaning any data can be included.

		This problem allows for various types of attack against the
		logging mechanism.  We also believe attacks could be launched
		against the Admin account.

		It should also be mentioned that this problem can be
		exacerbated if the email log alert option is configured
		(non-default).  This could extend the scope of possible
		attacks to MUAs and other clients.

  PoC

		To test if your Netgear device is vulnerable try:

		echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80

		Then check the content filter logs in the advanced menu of
		your Netgear router.  You should see a connection to host
		vulnerable instead of www.netgear.com.

  Stuff

   		For a properly formatted version of this paper try:
		http://elaboration.8bit.co.uk/projects/texts/advisories/netgear.logging.vulnerability.140403.txt













_________________________________________________________________
On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/mobile

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ