[NEWS] NETGEAR FM114P URL Filter Bypassing Vulnerability

From: support@securiteam.com
Date: 09/07/02


From: support@securiteam.com
To: list@securiteam.com
Date: Sat,  7 Sep 2002 14:05:25 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  NETGEAR FM114P URL Filter Bypassing Vulnerability
------------------------------------------------------------------------

SUMMARY

The NETGEAR FM114P is a hub, printer server, wireless access point,
firewall, and IDS. The firewalling module also supports filtering for
domain names (e.g. "www.computec.ch"). This module has been found to not
translate IP addresses into domain names, allowing someone to access a
restricted domain name by using its IP equivalent.

DETAILS

Vulnerable systems:
 * NETGEAR FM114P firmware version 1.0
 * NETGEAR FM114P firmware version 1.3 Release 04

Due to this flaw, a user may access a site by entering the IP address
instead of the host and domain name.

A possible workaround is to add the IP address(es) of the forbidden
hostname in the blacklist (e.g. "195.65.88.12"). However, do not forget
that some smart attackers could use dot-less IP addresses (e.g.
"http://3275839500"). In addition, you will get some problems with virtual
hosting web servers. In addition, every additional filter entry will slow
down the FM114P.

Vendor response:
Marc has informed the vendor on 02/09/05 with an email to
support@NETGEAR.com - The following message came back two days later (very
nice responding time):

You've probably already noticed that the router is not designed to block
sites by IP address -- only by keyword -- This is *not* a vulnerability,
just not something the router was designed to do -- Taken from the FM114P
Reference Manual: "Content Filtering With its content filtering feature,
the NETGEAR ProSafe Firewall prevents objectionable content from reaching
your PCs. The firewall allows you to control access to Internet content by
screening for keywords within Web addresses. You can configure the
firewall to log and report attempts to access objectionable Internet
sites.

Content filtering with its content filtering feature, the NETGEAR ProSafe
Firewall prevents objectionable content from reaching your PCs. The
firewall allows you to control access to Internet content by screening for
keywords within Web addresses. You can configure the firewall to log and
report attempts to access objectionable Internet sites."

"The NETGEAR ProSafe Firewall allows you to restrict access based on Web
addresses and Web address keywords. Up to 255 entries are supported in the
Keyword list. The Keyword Blocking menu is shown in Figure 5-2:"

As for IP address blocking being added to future firmware revisions,
you'll be able to request it at this link (which will be read by NETGEAR's
Engineers) -- <http://www.expressresponse.com/NETGEAR1/feedbackmenu.html>
http://www.expressresponse.com/NETGEAR1/feedbackmenu.html

ADDITIONAL INFORMATION

The information has been provided by <mailto:marc.ruef@computec.ch> Marc
Ruef.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: firewall url filter
    ... Can I use the fedora-box as a firewall, ... filtering several keywords? ... Use the firewall to block direct the browsers directly connecting to any ...
    (Fedora)
  • Re: How good is Comodo Internet Security?
    ... Filtering traffic with a firewall means that you're not ... they migth catch some types of outbound malware traffic. ... that) the scanner detect an infection later on (because the signatures ...
    (comp.security.firewalls)
  • Re: Help! Can I do this for under $400?
    ... >filtering, is missing. ... According to the FAQ of a firewall group, ... >destination addresses and port numbers. ... We have 3 web servers on the LAN ...
    (comp.security.firewalls)
  • Re: Help with finding hardware firewall that acts like software firewall
    ... >level but do not truly control things as per specific program executable. ... >They are basically filtering the application data within the packets. ... >And your other firewall functionality will far surpass what any of these ... >> specific port or ports. ...
    (comp.security.firewalls)
  • Re: [Full-Disclosure] Re: Empirical data surrounding guards and firewalls.
    ... The firewall is not content filtering, thus does not stop bad requests ... connection to a webserver. ... carrying an illegal object (an illegally formed request). ...
    (Full-Disclosure)