[NEWS] NETGEAR RT311/RT314 Cross-Site Issue

From: support@securiteam.com
Date: 02/06/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  6 Feb 2002 18:31:18 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  NETGEAR RT311/RT314 Cross-Site Issue
------------------------------------------------------------------------

SUMMARY

NETGEAR's <http://www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=54>
RT311 Gateway Router provides the dynamic Internet connection.
NETGEAR's <http://www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=55>
RT314 combination switch and router creates the potent full-duplex
backbone.

Both these products have been found to be vulnerable to a Cross Site
Scripting Vulnerability

DETAILS

Vulnerable systems:
Tested on NETGEAR RT314 running firmware versions 3.24 and 3.25. Any
hardware running this firmware (RT-311 also runs the same firmware). Any
product running ZyXel-RomPager web server 3.02 or earlier is probably also
vulnerable.

The NETGEAR Router (FW version 3.25) runs a web server
(ZyXEL-RomPager/3.02) for easy user configuration. This web server is
vulnerable to the standard Cross Site Scripting problems seen in multiple
web servers. Though it may be difficult to exploit (attacker would need
to know the internal address of the victim's router), it still opens the
possibility that an attacker run a 'social engineering' attack and gain
unauthorized access to the router, possibly reconfiguring it to allow
remote access.

Example:
To check NETGEAR devices for CSS, simply access the following URL in a
browser:
 http://>/<script>alert('Vulnerable')</script>
If you receive a JavaScript pop-up alert, the system is vulnerable to
Cross Site Scripting.

Vendor Status:
Vendor was contacted on 1/5/2002 (
support@netgear.com), but did not
respond.

Workaround:
As indicated on www.netgear.org, an unofficial web site dedicated to
NETGEAR's popular RT311 and RT314, it is possible to disable their HTTP,
FTP, and Telnet daemons using the hack below.

Disabling Internal HTTP, FTP, and telnet Server of the NETGEAR to protect
it from all connection

Warning: This solution will disable TCP connection to NETGEAR box
completely (both LAN & WAN). You can make the change while you have active
telnet connection but as soon as you disconnect, you will not be able to
access to the box via any TCP connection again (until reboot). Routing
functions work properly however.

Go to 24.8 (CLI) interface and enter:

ip tcp mss 0

This will remain effective until reboot. If you want this permanent, you
need to modify autoexec.net file on router. You can edit autoexec.net via
the following command.

sys edit autoexec.net

This is a line editor. Find the line that reads "ip tcp mss 512" and
replace 512 with 0. After reboot, you will only access the router via
serial cable. If you do not have serial cable do not do this!

THIS WILL ALSO BLOCK DDNS UPDATE. IF YOU USE DDNS, DO NOT USE THAT TWEAK!

ADDITIONAL INFORMATION

The information has been provided by <mailto:sq@cirt.net> sq, Tolunay
from dslreports.com, <mailto:bugtrack@mail.ru> Rzac`.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: Netgear RT311/RT314
    ... Does anyone know if NetGear Router RP114 is also affected by this problem? ... >Netgear's RT314 is a four-port gateway router targeted at the small home ... >product running ZyXel-RomPager web server 3.02 or earlier is probably also ...
    (Bugtraq)
  • NETGEAR WNR1000v3 Password Recovery Vulnerability
    ... Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless router are affected by a password recovery vulnerability. ...
    (Bugtraq)
  • Re: SBS 2003 Misconfigured?
    ... I've thrown quite a bit at them, and just have to disagree that they are inherently less secure than the netgear. ... setup DHCP and I have also gone in and manually created a new scope ... when I first used the Netgear router with SBS 2003, ... than one SBS server in a company makes no sense. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Misconfigured?
    ... Yeah, maybe it's not that different from the Netgear, for all that. ... that when I first used the Netgear router with SBS 2003, ... tech spend 4+ hours on my system, and then tell me to enable DHCP ... more than one SBS server in a company makes no sense. ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 Misconfigured?
    ... removed the Netgear FVG318 router. ... Reconfigured the Netopia to use ... Why didn't you just disconnect the Netgear and not touch the ... workstations and put 1 cable into the netopia, ...
    (microsoft.public.windows.server.sbs)