Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability



Vladimir: "Where there is an open mind, there will always be a frontier." - Charles Kettering

<form method='post' action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'>
<input type='hidden' value=''>
</form>
<a href='http://www.google.com' onclick='document.DoS.submit();'>Google</a>



-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Vladimir Dubrovin
Sent: Tuesday, June 16, 2009 9:43 AM
To: sr.
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability

Dear sr.,

clicking on the link can not produce POST request, only GET, unless
there are some special conditions, like crossite scripting
vulnerability in the router.

--16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@xxxxxxxxxxxxxxxxx;

s> it could still be carried out remotely by obfuscating a link sent to the
s> "admin" of the device. this would obviously rely on the admin clicking on
s> the link, and is more of a phishing / social engineering style attack. this
s> would also rely on the router being setup with all of the default internal
s> LAN ip's.

s> sr.


s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3APA3A@xxxxxxxxxxxxxxxx>

Dear Tom Neaves,

It still can be exploited from Internet even if "remote management" is
only accessible from local network. If you can trick user to visit Web
page, you can place a form on this page which targets to router and
request to router is issued from victim's browser.


--Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@xxxxxxxxx:

TN> Hi.

TN> I see where you're going but I think you're missing the point a little.
By
TN> *default* the web interface is enabled on the LAN and accessible by
anyone
TN> on that LAN and the "remote management" interface (for the Internet) is
TN> turned off. If the "remote management" interface was enabled, stopping
ICMP
TN> echo responses would not resolve this issue at all, turning the
interface
TN> off would do though (or restricting by IP, ...ack). The "remote
management"
TN> (love those quotes...) interface speaks over HTTP hence TCP so no
amount of
TN> dropping ICMP goodness will help with this. Anyhow, I am happy to
discuss
TN> this off list with you if its still not clear to save spamming
everyone's
TN> inboxes. :o)

TN> Tom

TN> ----- Original Message -----
TN> From: Alaa El yazghi
TN> To: Tom Neaves
TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
TN> Sent: Monday, June 15, 2009 11:03 PM
TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


TN> I know and I understand. What I wanted to mean is that we can not
eventually
TN> acces to the web interface of a netgear router remotely if we cannot
localy.
TN> As for the DoS, it is simple to solve such attack from outside. We
just
TN> disable receiving pings (There is actually an option in even the lowest
TN> series) and thus, we would be able to have a remote management without
ICMP
TN> requests.



TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>

TN> Hi.

TN> I'm not quite sure of your question...

TN> The DoS can be carried out remotely, however one mitigating factor
(which
TN> makes it a low risk as opposed to sirens and alarms...) is that its
turned
TN> off by default - you have to explicitly enable it under "Remote
Management"
TN> on the device if you want to access it/carry out the DoS over the
Internet.
TN> However, it is worth noting that anyone on your LAN can *remotely*
carry out
TN> this attack regardless of this management feature being on/off.

TN> I hope this clarifies it for you.

TN> Tom
TN> ----- Original Message -----
TN> From: Alaa El yazghi
TN> To: Tom Neaves
TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx
TN> Sent: Monday, June 15, 2009 10:45 PM
TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


TN> How can it be carried out remotely if it bugs localy?


TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx>

TN> Product Name: Netgear DG632 Router
TN> Vendor: http://www.netgear.com
TN> Date: 15 June, 2009
TN> Author: tom@xxxxxxxxxxxxxxx <tom@xxxxxxxxxxxxxxx>
TN> Original URL:
TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
TN> Discovered: 18 November, 2006
TN> Disclosed: 15 June, 2009

TN> I. DESCRIPTION

TN> The Netgear DG632 router has a web interface which runs on port 80.
This
TN> allows an admin to login and administer the device's settings.
However,
TN> a Denial of Service (DoS) vulnerability exists that causes the web
interface
TN> to crash and stop responding to further requests.

TN> II. DETAILS

TN> Within the "/cgi-bin/" directory of the administrative web interface
exists
TN> a
TN> file called "firmwarecfg". This file is used for firmware upgrades. A
HTTP
TN> POST
TN> request for this file causes the web server to hang. The web server
will
TN> stop
TN> responding to requests and the administrative interface will become
TN> inaccessible
TN> until the router is physically restarted.

TN> While the router will still continue to function at the network level,
i.e.
TN> it will
TN> still respond to ICMP echo requests and issue leases via DHCP, an
TN> administrator will
TN> no longer be able to interact with the administrative web interface.

TN> This attack can be carried out internally within the network, or over
the
TN> Internet
TN> if the administrator has enabled the "Remote Management" feature on the
TN> router.

TN> Affected Versions: Firmware V3.4.0_ap (others unknown)

TN> III. VENDOR RESPONSE

TN> 12 June, 2009 - Contacted vendor.
TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life
TN> product and is no
TN> longer supported in a production and development sense, as such, there
will
TN> be no further
TN> firmware releases to resolve this issue.

TN> IV. CREDIT

TN> Discovered by Tom Neaves

TN> _______________________________________________
TN> Full-Disclosure - We believe in it.
TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
TN> Hosted and sponsored by Secunia - http://secunia.com/


--
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
поверили. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
Vladimir Dubrovin Systems Engineer
http://nnov.stream.ru Stream-TV
http://securityvulns.ru Nizhny Novgorod, Russia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages