logo Home

Untitled Document

Home > Archives Advisories > Articles


Untitled Document

Untitled Document

Netgear Logging Vulnerability
Date: 2003-04-16

Author : { } <elaborate_ruse@hotmail.com>

Netgear logging vulnerability

Introduction
Tested Vulnerable
Vendor
Discussion
PoC
Stuff


Introduction

There is a problem in the way Netgear routers log outgoing
HTTP connections which could lead to log corruption as well
as dangerous character or script injection.

Tested Vulnerable

Model: RP114 Firmware: V3.26

Though this problem has only been confirmed for the above
model it is believed other models with the same or similar
web administration interface will also prove to be
vulnerable. This assumption is made due to the similar
feature descriptions seen at the vendor's web site.

Vendor

We have been informed during previous communications with
Netgear support staff that the RP114 is a "discontinued
device" and there is no intention by Netgear to patch.
However, due to the possible cross-model nature of this
problem Netgear were informed.

Website: www.netgear.com
Support contact: support@netgear.com
Date informed: 07.04.03
First response: 09.04.03
Action taken: Referred to a HTML feedback form
Release date: 16.04.03

Official vendor response:
"Your request may be best addressed at Netgear's Engineer level at this
link:

http://www.expressresponse.com/cgi-bin/netgear2/displayfile.cgi?displayfile=feedback_form.html&level=main&prodfamily=&product=

"

Nothing futher was received from the vendor after the initial
response (09.04.03).

Discussion

The problem lies in the way the device logs hostnames.

In the web administration interface the admin has access to
content filter logs. The device logs all unique outgoing TCP
connections with a destination port of 80 by default. The
log records things like date and time, source IP address and
destination host. Unfortunately, instead of the device
independently resolving the hostname, the log entry is taken
from the client supplied HTTP request.

The HTTP query does not have to be successful for the log to
be written, meaning any data can be included.

This problem allows for various types of attack against the
logging mechanism. We also believe attacks could be launched
against the Admin account.

It should also be mentioned that this problem can be
exacerbated if the email log alert option is configured
(non-default). This could extend the scope of possible
attacks to MUAs and other clients.

PoC

To test if your Netgear device is vulnerable try:

echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80

Then check the content filter logs in the advanced menu of
your Netgear router. You should see a connection to host
vulnerable instead of www.netgear.com.

Stuff

For a properly formatted version of this paper try:
http://elaboration.8bit.co.uk/projects/texts/advisories/netgear.logging.vulnerability.140403.txt



 

arrowSearch Advisories

arrowNewsletter

Free weekly Newsletter.

Please enter your email address here:
arrowReport Vulnerability

If you've found a vulnerability please
click here to report it.
arrowPartners

newsnow

About Us | Contact Us | Advertise | email | Backend flag
Copyright © 2016-2017 Security Corporation - All Rights Reserved - Legal - Privacy Policy