lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 30 May 2010 21:25:44 +0200
From: Cristofaro Mune <pulsoid@...silence.org>
To: full-disclosure@...ts.grok.org.uk
Subject: IS-2010-001 - Netgear WG602v4 Saved Pass Stack
	Overflow

Security Advisory

IS-2010-001 - Netgear WG602v4 Saved Pass Stack Overflow



Advisory Information
--------------------
Published:
2010-05-30

Updated:
2009-05-30

Manufacturer: Netgear
Model: WG602v4
Firmware version: V1.1.0 (Europe)



Vulnerability Details
---------------------
Class:
Buffer Overflow

Code Execution:
Yes

Public References:
Not Assigned

Successfully tested on:
Netgear WG602v4 loaded with firmware version 1.1.0 (Europe)
Other models and/or firmware versions may be also affected.

Summary:
A stack based buffer overflow can be triggered by choosing an overly
long admin password.

Details:
A buffer overflow condition can be triggered during the authentication
process to the device web interface.
Such process is handled by function auth_authorize(), where password
saved in flash memory is used for validating submitted credentials, and
is copied into a fixed size buffer on the stack, without performing any
length check.
Buffer overflow can be triggered by saving an admin password longer than
128 characters and occurs at each authentication attempt before the
submitted credentials are validated, potentially allowing for
unauthenticated remote exploitation.
But, valid credentials are required in order to change administrator
password and save it in flash memory, hence, for vulnerability exploitation.
Password can be changed via a dedicated web page on the management
interface: client side restrictions present on on the password lenght
can be easily bypassed by an attacker.

Impact:
Remote code execution with root level privileges.

Solutions & Workaround:
Not available


Additional Information
---------------------
Available at http://www.icysilence.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists