[29797] in bugtraq
Netgear Logging Vulnerability
daemon@ATHENA.MIT.EDU ({ })
Wed Apr 16 12:03:04 2003
Reply-To: advisories@elaboration.8bit.co.uk
From: "{ }" <elaborate_ruse@hotmail.com>
To: bugtraq@securityfocus.com
Date: Wed, 16 Apr 2003 15:13:11 +0100
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <BAY2-F16N8HUoKP7YE10000b6df@hotmail.com>
Netgear logging vulnerability
Introduction
Tested Vulnerable
Vendor
Discussion
PoC
Stuff
Introduction
There is a problem in the way Netgear routers log outgoing
HTTP connections which could lead to log corruption as well
as dangerous character or script injection.
Tested Vulnerable
Model: RP114 Firmware: V3.26
Though this problem has only been confirmed for the above
model it is believed other models with the same or similar
web administration interface will also prove to be
vulnerable. This assumption is made due to the similar
feature descriptions seen at the vendor's web site.
Vendor
We have been informed during previous communications with
Netgear support staff that the RP114 is a "discontinued
device" and there is no intention by Netgear to patch.
However, due to the possible cross-model nature of this
problem Netgear were informed.
Website: www.netgear.com
Support contact: support@netgear.com
Date informed: 07.04.03
First response: 09.04.03
Action taken: Referred to a HTML feedback form
Release date: 16.04.03
Official vendor response:
"Your request may be best addressed at Netgear's Engineer level at this
link:
http://www.expressresponse.com/cgi-bin/netgear2/displayfile.cgi?displayfile=feedback_form.html&level=main&prodfamily=&product=
"
Nothing futher was received from the vendor after the initial
response (09.04.03).
Discussion
The problem lies in the way the device logs hostnames.
In the web administration interface the admin has access to
content filter logs. The device logs all unique outgoing TCP
connections with a destination port of 80 by default. The
log records things like date and time, source IP address and
destination host. Unfortunately, instead of the device
independently resolving the hostname, the log entry is taken
from the client supplied HTTP request.
The HTTP query does not have to be successful for the log to
be written, meaning any data can be included.
This problem allows for various types of attack against the
logging mechanism. We also believe attacks could be launched
against the Admin account.
It should also be mentioned that this problem can be
exacerbated if the email log alert option is configured
(non-default). This could extend the scope of possible
attacks to MUAs and other clients.
PoC
To test if your Netgear device is vulnerable try:
echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80
Then check the content filter logs in the advanced menu of
your Netgear router. You should see a connection to host
vulnerable instead of www.netgear.com.
Stuff
For a properly formatted version of this paper try:
http://elaboration.8bit.co.uk/projects/texts/advisories/netgear.logging.vulnerability.140403.txt
_________________________________________________________________
On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/mobile
