Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Network Appliances :: a6158.htm

Netgear routers logging vulnerability



16th Apr 2003 [SBWID-6158]
COMMAND

	Netgear routers logging vulnerability
	
	

SYSTEMS AFFECTED

	At least Model: RP114	Firmware: V3.26

PROBLEM

	From [http://elaboration.8bit.co.uk/] :
	
	There is a  problem  in  the  way  Netgear  routers  log  outgoing  HTTP
	connections which could lead to log  corruption  as  well  as  dangerous
	character or script injection.
	
	Though this problem has only been confirmed for the above  model  it  is
	believed other models  with  the  same  or  similar  web  administration
	interface will also prove to be vulnerable. This assumption is made  due
	to the similar feature descriptions seen at the vendor's web site.
	
	The problem lies in the way the device logs hostnames.
	
	In the web administration interface the  admin  has  access  to  content
	filter logs. The device logs all unique outgoing TCP connections with  a
	destination port of 80 by default. The log records things like date  and
	time, source IP address and destination host. Unfortunately, instead  of
	the device independently resolving the hostname, the log entry is  taken
	from the client supplied HTTP request.
	
	The HTTP query does not  have  to  be  successful  for  the  log  to  be
	written, meaning any data can be included.
	
	This problem allows for various types  of  attack  against  the  logging
	mechanism. We also believe attacks could be launched against  the  Admin
	account.
	
	It should also be mentioned that this problem can be exacerbated if  the
	email log alert option is configured (non-default).  This  could  extend
	the scope of possible attacks to MUAs and other clients.
	
	
	 Proof of Concept
	 ================
	
	To test if your Netgear device is vulnerable try:
	
	
	echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80
	
	
	Then check the content filter logs in the advanced menu of your  Netgear
	router. You should see  a  connection  to  host  vulnerable  instead  of
	www.netgear.com.
	
	

SOLUTION

	We have  been  informed  during  previous  communications  with  Netgear
	support staff that the RP114 is a "discontinued device" and there is  no
	intention by Netgear to patch. However, due to the possible  cross-model
	nature of this problem Netgear were informed.
	
			Website:		www.netgear.com
			Support contact:	support@netgear.com
			Date informed:		07.04.03
			First response:		09.04.03
			Action taken:		Referred to a HTML feedback form
			Release date:		16.04.03
	
	
	Official vendor response:
	 "Your request may be best addressed at Netgear's Engineer level at this link:
			  http://www.expressresponse.com/cgi-bin/netgear2/displayfile.cgi?displayfile=feedback_form.html&level=main&prodfamily=&product= "
	
			   
	Nothing futher was received from the vendor after the  initial  response
	(09.04.03).


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH