lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1702976036.20090617090742@SECURITY.NNOV.RU>
Date: Wed, 17 Jun 2009 09:07:42 +0400
From: Vladimir '3APA3A' Dubrovin <3APA3A@...URITY.NNOV.RU>
To: Adrian P <unknown.pentester@...il.com>
Cc: full-disclosure@...ts.grok.org.uk,
	Jeremi Gosney <Jeremi.Gosney@...ricity.com>,
	Vladimir Dubrovin <vlad@...dy.ru>
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability

Adrian,

  If  you  can execute javascript - what is a reason to wait for user to
  click  the  link? The message I reply stated there is no need to force
  user  to  visit  Web  page  and clicking the obfuscated link _sent_ to
  admin is enougth. I replied in this case only GET request is possible.
  Read the thread carefully before making conclusions.
  
  
--Wednesday, June 17, 2009, 2:58:15 AM, you wrote to Jeremi.Gosney@...ricity.com:

AP> you would be surprised how many people out there (mistakenly) still
AP> think that only GET requests are CSRFable!

AP> 2009/6/16 Jeremi Gosney <Jeremi.Gosney@...ricity.com>:
>> Vladimir: "Where there is an open mind, there will always be a frontier." - Charles Kettering
>>
>> <form method='post'
>> action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'>
>>   <input type='hidden' value=''>
>> </form>
>> <a href='http://www.google.com'
>> onclick='document.DoS.submit();'>Google</a>
>>
>>
>>
>> -----Original Message-----
>> From: full-disclosure-bounces@...ts.grok.org.uk
>> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of
>> Vladimir Dubrovin
>> Sent: Tuesday, June 16, 2009 9:43 AM
>> To: sr.
>> Cc: full-disclosure@...ts.grok.org.uk
>> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
>>
>> Dear sr.,
>>
>>  clicking  on  the  link can not produce POST request, only GET, unless
>>  there   are   some   special   conditions,   like  crossite  scripting
>>  vulnerability in the router.
>>
>> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632
>> Router Remote DoS Vulnerability to full-disclosure@...ts.grok.org.uk;
>>
>> s> it could still be carried out remotely by obfuscating a link sent to the
>> s> "admin" of the device. this would obviously rely on the admin clicking on
>> s> the link, and is more of a phishing / social engineering style attack. this
>> s> would also rely on the router being setup with all of the default internal
>> s> LAN ip's.
>>
>> s> sr.
>>
>>
>> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@...urity.nnov.ru>
>>
>>>> Dear Tom Neaves,
>>>>
>>>>  It  still can be exploited from Internet even if "remote management" is
>>>> only  accessible  from local network. If you can trick user to visit Web
>>>> page,  you  can  place  a  form on this page which targets to router and
>>>> request to router is issued from victim's browser.
>>>>
>>>>
>>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@...il.com:
>>>>
>>>> TN> Hi.
>>>>
>>>> TN> I see where you're going but I think you're missing the point a little.
>>>>  By
>>>> TN> *default* the web interface is enabled on the LAN and accessible by
>>>> anyone
>>>> TN> on that LAN and the "remote management" interface (for the Internet) is
>>>> TN> turned off.  If the "remote management" interface was enabled, stopping
>>>> ICMP
>>>> TN> echo responses would not resolve this issue at all, turning the
>>>> interface
>>>> TN> off would do though (or restricting by IP, ...ack).  The "remote
>>>> management"
>>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no
>>>> amount of
>>>> TN> dropping ICMP goodness will help with this.  Anyhow, I am happy to
>>>> discuss
>>>> TN> this off list with you if its still not clear to save spamming
>>>> everyone's
>>>> TN> inboxes. :o)
>>>>
>>>> TN> Tom
>>>>
>>>> TN> ----- Original Message -----
>>>> TN> From: Alaa El yazghi
>>>> TN> To: Tom Neaves
>>>> TN> Cc: bugtraq@...urityfocus.com ;
>>>> full-disclosure@...ts.grok.org.uk
>>>> TN> Sent: Monday, June 15, 2009 11:03 PM
>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>>
>>>>
>>>> TN> I know and I understand. What I wanted to mean is that we can not
>>>> eventually
>>>> TN> acces to the web interface of a netgear router remotely if we cannot
>>>> localy.
>>>> TN> As for the DoS, it is simple to solve  such attack from outside. We
>>>> just
>>>> TN> disable receiving pings (There is actually an option in even the lowest
>>>> TN> series) and thus, we would be able to have a remote management without
>>>> ICMP
>>>> TN> requests.
>>>>
>>>>
>>>>
>>>> TN> 2009/6/15 Tom Neaves <tom@...neaves.co.uk>
>>>>
>>>> TN> Hi.
>>>>
>>>> TN> I'm not quite sure of your question...
>>>>
>>>> TN> The DoS can be carried out remotely, however one mitigating factor
>>>> (which
>>>> TN> makes it a low risk as opposed to sirens and alarms...) is that its
>>>> turned
>>>> TN> off by default - you have to explicitly enable it under "Remote
>>>> Management"
>>>> TN> on the device if you want to access it/carry out the DoS over the
>>>> Internet.
>>>> TN> However, it is worth noting that anyone on your LAN can *remotely*
>>>> carry out
>>>> TN> this attack regardless of this management feature being on/off.
>>>>
>>>> TN> I hope this clarifies it for you.
>>>>
>>>> TN> Tom
>>>> TN> ----- Original Message -----
>>>> TN> From: Alaa El yazghi
>>>> TN> To: Tom Neaves
>>>> TN> Cc: bugtraq@...urityfocus.com ;
>>>> full-disclosure@...ts.grok.org.uk
>>>> TN> Sent: Monday, June 15, 2009 10:45 PM
>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability
>>>>
>>>>
>>>> TN> How can it be carried out remotely if it bugs localy?
>>>>
>>>>
>>>> TN> 2009/6/15 Tom Neaves <tom@...neaves.co.uk>
>>>>
>>>> TN> Product Name: Netgear DG632 Router
>>>> TN> Vendor: http://www.netgear.com
>>>> TN> Date: 15 June, 2009
>>>> TN> Author: tom@...neaves.co.uk <tom@...neaves.co.uk>
>>>> TN> Original URL:
>>>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
>>>> TN> Discovered: 18 November, 2006
>>>> TN> Disclosed: 15 June, 2009
>>>>
>>>> TN> I. DESCRIPTION
>>>>
>>>> TN> The Netgear DG632 router has a web interface which runs on port 80.
>>>>  This
>>>> TN> allows an admin to login and administer the device's settings.
>>>>  However,
>>>> TN> a Denial of Service (DoS) vulnerability exists that causes the web
>>>> interface
>>>> TN> to crash and stop responding to further requests.
>>>>
>>>> TN> II. DETAILS
>>>>
>>>> TN> Within the "/cgi-bin/" directory of the administrative web interface
>>>> exists
>>>> TN> a
>>>> TN> file called "firmwarecfg".  This file is used for firmware upgrades.  A
>>>> HTTP
>>>> TN> POST
>>>> TN> request for this file causes the web server to hang.  The web server
>>>> will
>>>> TN> stop
>>>> TN> responding to requests and the administrative interface will become
>>>> TN> inaccessible
>>>> TN> until the router is physically restarted.
>>>>
>>>> TN> While the router will still continue to function at the network level,
>>>> i.e.
>>>> TN> it will
>>>> TN> still respond to ICMP echo requests and issue leases via DHCP, an
>>>> TN> administrator will
>>>> TN> no longer be able to interact with the administrative web interface.
>>>>
>>>> TN> This attack can be carried out internally within the network, or over
>>>> the
>>>> TN> Internet
>>>> TN> if the administrator has enabled the "Remote Management" feature on the
>>>> TN> router.
>>>>
>>>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown)
>>>>
>>>> TN> III. VENDOR RESPONSE
>>>>
>>>> TN> 12 June, 2009 - Contacted vendor.
>>>> TN> 15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life
>>>> TN> product and is no
>>>> TN> longer supported in a production and development sense, as such, there
>>>> will
>>>> TN> be no further
>>>> TN> firmware releases to resolve this issue.
>>>>
>>>> TN> IV. CREDIT
>>>>
>>>> TN> Discovered by Tom Neaves
>>>>
>>>> TN> _______________________________________________
>>>> TN> Full-Disclosure - We believe in it.
>>>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> TN> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>> --
>>>> Skype: Vladimir.Dubrovin
>>>> ~/ZARAZA http://securityvulns.com/
>>>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
>>>> поверили. (Твен)
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>
>>
>>
>> --
>>   Vladimir Dubrovin           Systems Engineer
>>  http://nnov.stream.ru             Stream-TV
>> http://securityvulns.ru     Nizhny Novgorod, Russia
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/

AP> _______________________________________________
AP> Full-Disclosure - We believe in it.
AP> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
AP> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ