[NEWS] NETGEAR RT311/RT314 Cross-Site Issue

From: support@securiteam.com
Date: 02/06/02

From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  6 Feb 2002 18:31:18 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  NETGEAR RT311/RT314 Cross-Site Issue


NETGEAR's <http://www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=54>
RT311 Gateway Router provides the dynamic Internet connection.
NETGEAR's <http://www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=55>
RT314 combination switch and router creates the potent full-duplex

Both these products have been found to be vulnerable to a Cross Site
Scripting Vulnerability


Vulnerable systems:
Tested on NETGEAR RT314 running firmware versions 3.24 and 3.25. Any
hardware running this firmware (RT-311 also runs the same firmware). Any
product running ZyXel-RomPager web server 3.02 or earlier is probably also

The NETGEAR Router (FW version 3.25) runs a web server
(ZyXEL-RomPager/3.02) for easy user configuration. This web server is
vulnerable to the standard Cross Site Scripting problems seen in multiple
web servers. Though it may be difficult to exploit (attacker would need
to know the internal address of the victim's router), it still opens the
possibility that an attacker run a 'social engineering' attack and gain
unauthorized access to the router, possibly reconfiguring it to allow
remote access.

To check NETGEAR devices for CSS, simply access the following URL in a
If you receive a JavaScript pop-up alert, the system is vulnerable to
Cross Site Scripting.

Vendor Status:
Vendor was contacted on 1/5/2002 (
support@netgear.com), but did not

As indicated on www.netgear.org, an unofficial web site dedicated to
NETGEAR's popular RT311 and RT314, it is possible to disable their HTTP,
FTP, and Telnet daemons using the hack below.

Disabling Internal HTTP, FTP, and telnet Server of the NETGEAR to protect
it from all connection

Warning: This solution will disable TCP connection to NETGEAR box
completely (both LAN & WAN). You can make the change while you have active
telnet connection but as soon as you disconnect, you will not be able to
access to the box via any TCP connection again (until reboot). Routing
functions work properly however.

Go to 24.8 (CLI) interface and enter:

ip tcp mss 0

This will remain effective until reboot. If you want this permanent, you
need to modify autoexec.net file on router. You can edit autoexec.net via
the following command.

sys edit autoexec.net

This is a line editor. Find the line that reads "ip tcp mss 512" and
replace 512 with 0. After reboot, you will only access the router via
serial cable. If you do not have serial cable do not do this!



The information has been provided by <mailto:sq@cirt.net> sq, Tolunay
from dslreports.com, <mailto:bugtrack@mail.ru> Rzac`.


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.