[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b7a807650906161558td41f8b5idb7d9323e87e8478@mail.gmail.com>
Date: Tue, 16 Jun 2009 23:58:15 +0100
From: Adrian P <unknown.pentester@...il.com>
To: Jeremi Gosney <Jeremi.Gosney@...ricity.com>
Cc: full-disclosure@...ts.grok.org.uk, Vladimir Dubrovin <vlad@...dy.ru>
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
you would be surprised how many people out there (mistakenly) still
think that only GET requests are CSRFable!
2009/6/16 Jeremi Gosney <Jeremi.Gosney@...ricity.com>:
> Vladimir: "Where there is an open mind, there will always be a frontier." - Charles Kettering
>
> <form method='post' action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'>
> <input type='hidden' value=''>
> </form>
> <a href='http://www.google.com' onclick='document.DoS.submit();'>Google</a>
>
>
>
> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Vladimir Dubrovin
> Sent: Tuesday, June 16, 2009 9:43 AM
> To: sr.
> Cc: full-disclosure@...ts.grok.org.uk
> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
>
> Dear sr.,
>
> clicking on the link can not produce POST request, only GET, unless
> there are some special conditions, like crossite scripting
> vulnerability in the router.
>
> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@...ts.grok.org.uk;
>
> s> it could still be carried out remotely by obfuscating a link sent to the
> s> "admin" of the device. this would obviously rely on the admin clicking on
> s> the link, and is more of a phishing / social engineering style attack. this
> s> would also rely on the router being setup with all of the default internal
> s> LAN ip's.
>
> s> sr.
>
>
> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@...urity.nnov.ru>
>
>>> Dear Tom Neaves,
>>>
>>> It still can be exploited from Internet even if "remote management" is
>>> only accessible from local network. If you can trick user to visit Web
>>> page, you can place a form on this page which targets to router and
>>> request to router is issued from victim's browser.
>>>
>>>
>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@...il.com:
>>>
>>> TN> Hi.
>>>
>>> TN> I see where you're going but I think you're missing the point a little.
>>> By
>>> TN> *default* the web interface is enabled on the LAN and accessible by
>>> anyone
>>> TN> on that LAN and the "remote management" interface (for the Internet) is
>>> TN> turned off. If the "remote management" interface was enabled, stopping
>>> ICMP
>>> TN> echo responses would not resolve this issue at all, turning the
>>> interface
>>> TN> off would do though (or restricting by IP, ...ack). The "remote
>>> management"
>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no
>>> amount of
>>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to
>>> discuss
>>> TN> this off list with you if its still not clear to save spamming
>>> everyone's
>>> TN> inboxes. :o)
>>>
>>> TN> Tom
>>>
>>> TN> ----- Original Message -----
>>> TN> From: Alaa El yazghi
>>> TN> To: Tom Neaves
>>> TN> Cc: bugtraq@...urityfocus.com ; full-disclosure@...ts.grok.org.uk
>>> TN> Sent: Monday, June 15, 2009 11:03 PM
>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>
>>>
>>> TN> I know and I understand. What I wanted to mean is that we can not
>>> eventually
>>> TN> acces to the web interface of a netgear router remotely if we cannot
>>> localy.
>>> TN> As for the DoS, it is simple to solve such attack from outside. We
>>> just
>>> TN> disable receiving pings (There is actually an option in even the lowest
>>> TN> series) and thus, we would be able to have a remote management without
>>> ICMP
>>> TN> requests.
>>>
>>>
>>>
>>> TN> 2009/6/15 Tom Neaves <tom@...neaves.co.uk>
>>>
>>> TN> Hi.
>>>
>>> TN> I'm not quite sure of your question...
>>>
>>> TN> The DoS can be carried out remotely, however one mitigating factor
>>> (which
>>> TN> makes it a low risk as opposed to sirens and alarms...) is that its
>>> turned
>>> TN> off by default - you have to explicitly enable it under "Remote
>>> Management"
>>> TN> on the device if you want to access it/carry out the DoS over the
>>> Internet.
>>> TN> However, it is worth noting that anyone on your LAN can *remotely*
>>> carry out
>>> TN> this attack regardless of this management feature being on/off.
>>>
>>> TN> I hope this clarifies it for you.
>>>
>>> TN> Tom
>>> TN> ----- Original Message -----
>>> TN> From: Alaa El yazghi
>>> TN> To: Tom Neaves
>>> TN> Cc: bugtraq@...urityfocus.com ; full-disclosure@...ts.grok.org.uk
>>> TN> Sent: Monday, June 15, 2009 10:45 PM
>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>
>>>
>>> TN> How can it be carried out remotely if it bugs localy?
>>>
>>>
>>> TN> 2009/6/15 Tom Neaves <tom@...neaves.co.uk>
>>>
>>> TN> Product Name: Netgear DG632 Router
>>> TN> Vendor: http://www.netgear.com
>>> TN> Date: 15 June, 2009
>>> TN> Author: tom@...neaves.co.uk <tom@...neaves.co.uk>
>>> TN> Original URL:
>>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
>>> TN> Discovered: 18 November, 2006
>>> TN> Disclosed: 15 June, 2009
>>>
>>> TN> I. DESCRIPTION
>>>
>>> TN> The Netgear DG632 router has a web interface which runs on port 80.
>>> This
>>> TN> allows an admin to login and administer the device's settings.
>>> However,
>>> TN> a Denial of Service (DoS) vulnerability exists that causes the web
>>> interface
>>> TN> to crash and stop responding to further requests.
>>>
>>> TN> II. DETAILS
>>>
>>> TN> Within the "/cgi-bin/" directory of the administrative web interface
>>> exists
>>> TN> a
>>> TN> file called "firmwarecfg". This file is used for firmware upgrades. A
>>> HTTP
>>> TN> POST
>>> TN> request for this file causes the web server to hang. The web server
>>> will
>>> TN> stop
>>> TN> responding to requests and the administrative interface will become
>>> TN> inaccessible
>>> TN> until the router is physically restarted.
>>>
>>> TN> While the router will still continue to function at the network level,
>>> i.e.
>>> TN> it will
>>> TN> still respond to ICMP echo requests and issue leases via DHCP, an
>>> TN> administrator will
>>> TN> no longer be able to interact with the administrative web interface.
>>>
>>> TN> This attack can be carried out internally within the network, or over
>>> the
>>> TN> Internet
>>> TN> if the administrator has enabled the "Remote Management" feature on the
>>> TN> router.
>>>
>>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown)
>>>
>>> TN> III. VENDOR RESPONSE
>>>
>>> TN> 12 June, 2009 - Contacted vendor.
>>> TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life
>>> TN> product and is no
>>> TN> longer supported in a production and development sense, as such, there
>>> will
>>> TN> be no further
>>> TN> firmware releases to resolve this issue.
>>>
>>> TN> IV. CREDIT
>>>
>>> TN> Discovered by Tom Neaves
>>>
>>> TN> _______________________________________________
>>> TN> Full-Disclosure - We believe in it.
>>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> TN> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>> --
>>> Skype: Vladimir.Dubrovin
>>> ~/ZARAZA http://securityvulns.com/
>>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
>>> поверили. (Твен)
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>
>
>
> --
> Vladimir Dubrovin Systems Engineer
> http://nnov.stream.ru Stream-TV
> http://securityvulns.ru Nizhny Novgorod, Russia
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists