lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2A32C3ED0F157C4FA1BB927413F2F6B805174D1C@SYSWPREXCH1BV.corp.local>
Date: Tue, 16 Jun 2009 13:00:18 -0700
From: "Jeremi Gosney" <Jeremi.Gosney@...ricity.com>
To: "Vladimir Dubrovin" <vlad@...dy.ru>,
	"sr." <staticrez@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability

Vladimir: "Where there is an open mind, there will always be a frontier." - Charles Kettering
 
<form method='post' action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'>
   <input type='hidden' value=''>
</form>
<a href='http://www.google.com' onclick='document.DoS.submit();'>Google</a>



-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Vladimir Dubrovin
Sent: Tuesday, June 16, 2009 9:43 AM
To: sr.
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

Dear sr.,

  clicking  on  the  link can not produce POST request, only GET, unless
  there   are   some   special   conditions,   like  crossite  scripting
  vulnerability in the router.

--16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@...ts.grok.org.uk;

s> it could still be carried out remotely by obfuscating a link sent to the
s> "admin" of the device. this would obviously rely on the admin clicking on
s> the link, and is more of a phishing / social engineering style attack. this
s> would also rely on the router being setup with all of the default internal
s> LAN ip's.

s> sr.


s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@...urity.nnov.ru>

>> Dear Tom Neaves,
>>
>>  It  still can be exploited from Internet even if "remote management" is
>> only  accessible  from local network. If you can trick user to visit Web
>> page,  you  can  place  a  form on this page which targets to router and
>> request to router is issued from victim's browser.
>>
>>
>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@...il.com:
>>
>> TN> Hi.
>>
>> TN> I see where you're going but I think you're missing the point a little.
>>  By
>> TN> *default* the web interface is enabled on the LAN and accessible by
>> anyone
>> TN> on that LAN and the "remote management" interface (for the Internet) is
>> TN> turned off.  If the "remote management" interface was enabled, stopping
>> ICMP
>> TN> echo responses would not resolve this issue at all, turning the
>> interface
>> TN> off would do though (or restricting by IP, ...ack).  The "remote
>> management"
>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no
>> amount of
>> TN> dropping ICMP goodness will help with this.  Anyhow, I am happy to
>> discuss
>> TN> this off list with you if its still not clear to save spamming
>> everyone's
>> TN> inboxes. :o)
>>
>> TN> Tom
>>
>> TN> ----- Original Message -----
>> TN> From: Alaa El yazghi
>> TN> To: Tom Neaves
>> TN> Cc: bugtraq@...urityfocus.com ; full-disclosure@...ts.grok.org.uk
>> TN> Sent: Monday, June 15, 2009 11:03 PM
>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>
>>
>> TN> I know and I understand. What I wanted to mean is that we can not
>> eventually
>> TN> acces to the web interface of a netgear router remotely if we cannot
>> localy.
>> TN> As for the DoS, it is simple to solve  such attack from outside. We
>> just
>> TN> disable receiving pings (There is actually an option in even the lowest
>> TN> series) and thus, we would be able to have a remote management without
>> ICMP
>> TN> requests.
>>
>>
>>
>> TN> 2009/6/15 Tom Neaves <tom@...neaves.co.uk>
>>
>> TN> Hi.
>>
>> TN> I'm not quite sure of your question...
>>
>> TN> The DoS can be carried out remotely, however one mitigating factor
>> (which
>> TN> makes it a low risk as opposed to sirens and alarms...) is that its
>> turned
>> TN> off by default - you have to explicitly enable it under "Remote
>> Management"
>> TN> on the device if you want to access it/carry out the DoS over the
>> Internet.
>> TN> However, it is worth noting that anyone on your LAN can *remotely*
>> carry out
>> TN> this attack regardless of this management feature being on/off.
>>
>> TN> I hope this clarifies it for you.
>>
>> TN> Tom
>> TN> ----- Original Message -----
>> TN> From: Alaa El yazghi
>> TN> To: Tom Neaves
>> TN> Cc: bugtraq@...urityfocus.com ; full-disclosure@...ts.grok.org.uk
>> TN> Sent: Monday, June 15, 2009 10:45 PM
>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>
>>
>> TN> How can it be carried out remotely if it bugs localy?
>>
>>
>> TN> 2009/6/15 Tom Neaves <tom@...neaves.co.uk>
>>
>> TN> Product Name: Netgear DG632 Router
>> TN> Vendor: http://www.netgear.com
>> TN> Date: 15 June, 2009
>> TN> Author: tom@...neaves.co.uk <tom@...neaves.co.uk>
>> TN> Original URL:
>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
>> TN> Discovered: 18 November, 2006
>> TN> Disclosed: 15 June, 2009
>>
>> TN> I. DESCRIPTION
>>
>> TN> The Netgear DG632 router has a web interface which runs on port 80.
>>  This
>> TN> allows an admin to login and administer the device's settings.
>>  However,
>> TN> a Denial of Service (DoS) vulnerability exists that causes the web
>> interface
>> TN> to crash and stop responding to further requests.
>>
>> TN> II. DETAILS
>>
>> TN> Within the "/cgi-bin/" directory of the administrative web interface
>> exists
>> TN> a
>> TN> file called "firmwarecfg".  This file is used for firmware upgrades.  A
>> HTTP
>> TN> POST
>> TN> request for this file causes the web server to hang.  The web server
>> will
>> TN> stop
>> TN> responding to requests and the administrative interface will become
>> TN> inaccessible
>> TN> until the router is physically restarted.
>>
>> TN> While the router will still continue to function at the network level,
>> i.e.
>> TN> it will
>> TN> still respond to ICMP echo requests and issue leases via DHCP, an
>> TN> administrator will
>> TN> no longer be able to interact with the administrative web interface.
>>
>> TN> This attack can be carried out internally within the network, or over
>> the
>> TN> Internet
>> TN> if the administrator has enabled the "Remote Management" feature on the
>> TN> router.
>>
>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown)
>>
>> TN> III. VENDOR RESPONSE
>>
>> TN> 12 June, 2009 - Contacted vendor.
>> TN> 15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life
>> TN> product and is no
>> TN> longer supported in a production and development sense, as such, there
>> will
>> TN> be no further
>> TN> firmware releases to resolve this issue.
>>
>> TN> IV. CREDIT
>>
>> TN> Discovered by Tom Neaves
>>
>> TN> _______________________________________________
>> TN> Full-Disclosure - We believe in it.
>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> TN> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>> --
>> Skype: Vladimir.Dubrovin
>> ~/ZARAZA http://securityvulns.com/
>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
>> поверили. (Твен)
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
 


-- 
   Vladimir Dubrovin           Systems Engineer
 http://nnov.stream.ru             Stream-TV
http://securityvulns.ru     Nizhny Novgorod, Russia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ