Dear sr., clicking on the link can not produce POST request, only GET, unless there are some special conditions, like crossite scripting vulnerability in the router.
--16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk; s> it could still be carried out remotely by obfuscating a link sent to the s> "admin" of the device. this would obviously rely on the admin clicking on s> the link, and is more of a phishing / social engineering style attack. this s> would also rely on the router being setup with all of the default internal s> LAN ip's. s> sr. s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> >> Dear Tom Neaves, >> >> It still can be exploited from Internet even if "remote management" is >> only accessible from local network. If you can trick user to visit Web >> page, you can place a form on this page which targets to router and >> request to router is issued from victim's browser. >> >> >> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: >> >> TN> Hi. >> >> TN> I see where you're going but I think you're missing the point a little. >> By >> TN> *default* the web interface is enabled on the LAN and accessible by >> anyone >> TN> on that LAN and the "remote management" interface (for the Internet) is >> TN> turned off. If the "remote management" interface was enabled, stopping >> ICMP >> TN> echo responses would not resolve this issue at all, turning the >> interface >> TN> off would do though (or restricting by IP, ...ack). The "remote >> management" >> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >> amount of >> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >> discuss >> TN> this off list with you if its still not clear to save spamming >> everyone's >> TN> inboxes. :o) >> >> TN> Tom >> >> TN> ----- Original Message ----- >> TN> From: Alaa El yazghi >> TN> To: Tom Neaves >> TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk >> TN> Sent: Monday, June 15, 2009 11:03 PM >> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >> >> >> TN> I know and I understand. What I wanted to mean is that we can not >> eventually >> TN> acces to the web interface of a netgear router remotely if we cannot >> localy. >> TN> As for the DoS, it is simple to solve such attack from outside. We >> just >> TN> disable receiving pings (There is actually an option in even the lowest >> TN> series) and thus, we would be able to have a remote management without >> ICMP >> TN> requests. >> >> >> >> TN> 2009/6/15 Tom Neaves <t...@tomneaves.co.uk> >> >> TN> Hi. >> >> TN> I'm not quite sure of your question... >> >> TN> The DoS can be carried out remotely, however one mitigating factor >> (which >> TN> makes it a low risk as opposed to sirens and alarms...) is that its >> turned >> TN> off by default - you have to explicitly enable it under "Remote >> Management" >> TN> on the device if you want to access it/carry out the DoS over the >> Internet. >> TN> However, it is worth noting that anyone on your LAN can *remotely* >> carry out >> TN> this attack regardless of this management feature being on/off. >> >> TN> I hope this clarifies it for you. >> >> TN> Tom >> TN> ----- Original Message ----- >> TN> From: Alaa El yazghi >> TN> To: Tom Neaves >> TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk >> TN> Sent: Monday, June 15, 2009 10:45 PM >> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >> >> >> TN> How can it be carried out remotely if it bugs localy? >> >> >> TN> 2009/6/15 Tom Neaves <t...@tomneaves.co.uk> >> >> TN> Product Name: Netgear DG632 Router >> TN> Vendor: http://www.netgear.com >> TN> Date: 15 June, 2009 >> TN> Author: t...@tomneaves.co.uk <t...@tomneaves.co.uk> >> TN> Original URL: >> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt >> TN> Discovered: 18 November, 2006 >> TN> Disclosed: 15 June, 2009 >> >> TN> I. DESCRIPTION >> >> TN> The Netgear DG632 router has a web interface which runs on port 80. >> This >> TN> allows an admin to login and administer the device's settings. >> However, >> TN> a Denial of Service (DoS) vulnerability exists that causes the web >> interface >> TN> to crash and stop responding to further requests. >> >> TN> II. DETAILS >> >> TN> Within the "/cgi-bin/" directory of the administrative web interface >> exists >> TN> a >> TN> file called "firmwarecfg". This file is used for firmware upgrades. A >> HTTP >> TN> POST >> TN> request for this file causes the web server to hang. The web server >> will >> TN> stop >> TN> responding to requests and the administrative interface will become >> TN> inaccessible >> TN> until the router is physically restarted. >> >> TN> While the router will still continue to function at the network level, >> i.e. >> TN> it will >> TN> still respond to ICMP echo requests and issue leases via DHCP, an >> TN> administrator will >> TN> no longer be able to interact with the administrative web interface. >> >> TN> This attack can be carried out internally within the network, or over >> the >> TN> Internet >> TN> if the administrator has enabled the "Remote Management" feature on the >> TN> router. >> >> TN> Affected Versions: Firmware V3.4.0_ap (others unknown) >> >> TN> III. VENDOR RESPONSE >> >> TN> 12 June, 2009 - Contacted vendor. >> TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life >> TN> product and is no >> TN> longer supported in a production and development sense, as such, there >> will >> TN> be no further >> TN> firmware releases to resolve this issue. >> >> TN> IV. CREDIT >> >> TN> Discovered by Tom Neaves >> >> TN> _______________________________________________ >> TN> Full-Disclosure - We believe in it. >> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> TN> Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> -- >> Skype: Vladimir.Dubrovin >> ~/ZARAZA http://securityvulns.com/ >> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них >> поверили. (Твен) >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> -- Vladimir Dubrovin Systems Engineer http://nnov.stream.ru Stream-TV http://securityvulns.ru Nizhny Novgorod, Russia _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
