SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   NETGEAR Router Vendors:   NETGEAR
(A User Provides a Workaround) Re: NETGEAR Router Allows Cross Site Scripting Attacks, Possibly Allowing a Remote User to Gain Access to the Router
SecurityTracker Alert ID:  1003439
SecurityTracker URL:  http://securitytracker.com/id/1003439
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 5 2002
Impact:   Disclosure of user information, Execution of arbitrary code via network
Fix Available:  Yes  
Version(s): RT314/RT311 running firmware 3.24 and 3.25
Description:   A vulnerability was reported in the NETGEAR router series. A remote user can conduct a cross-site scripting attack against the router.

It is reported that the router's web-based management interface allows cross site scripting attacks. A remote user could create HTML content (either a web page or e-mail message) that contains the following type of URL:

http://<router_ip>/<script>alert('Vulnerable')</script>

If the content is sent to a router administrator and the URL is loaded on that administrator's browser, the javascript would execute within the security context of the router and could obtain the recipient's cookies associated with the router.

The vendor has reportedly been notified.

Impact:   A remote user could cause javascript to execute on another user's host that would be able to access the target user's cookies associated with the router management authentication. This could potentially allow the remote user to gain access to the router.
Solution:   A user has reported the following workaround, apparently quoted from www.netgear.org in the "How to" section:

"Disalbing Internal HTTP, FTP and telnet Server of the Netgear to
protect it from all connection

Warning: This solution will disable TCP connection to Netgear box
completely (both LAN & WAN). You can make the change while you have
active telnet connection but as soon as you disconnect, you'll not be
able to access to the box via any TCP connection again (until reboot).
Routing functions work properly however.

Goto 24.8 (CLI) interface and enter:

ip tcp mss 0

This will remain effective until reboot. If you want this permanent
you need to modify autoexec.net file on router. You can edit
autoexec.net via the following command.

sys edit autoexec.net

This is a line editor. Find the line that reads "ip tcp mss 512" and
replace 512 with 0. After reboot you will only access the router via
serial cable. If you don't have serial cable don't do this!

THIS WILL ALSO BLOCK DDNS UPDATE. IF YOU USE DDNS, DO NOT USE THAT TWEAK!

Credit goes to Tolunay from dslreports.com"

Vendor URL:  www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=55 (Links to External Site)
Cause:   Input validation error

Message History:   This archive entry is a follow-up to the message listed below.
Feb 5 2002 NETGEAR Router Allows Cross Site Scripting Attacks, Possibly Allowing a Remote User to Gain Access to the Router



 Source Message Contents

Subject:  Re: Netgear RT311/RT314



As indicated on www.netgear.org, an unofficial web site dedicated to
Netgear's popular RT311 and RT314, it is possible to disable their
HTTP, FTP and Telnet daemons using the hack below.


"Disalbing Internal HTTP, FTP and telnet Server of the Netgear to
protect it from all connection

Warning: This solution will disable TCP connection to Netgear box
completely (both LAN & WAN). You can make the change while you have
active telnet connection but as soon as you disconnect, you'll not be
able to access to the box via any TCP connection again (until reboot).
Routing functions work properly however.    

Goto 24.8 (CLI) interface and enter:

ip tcp mss 0

This will remain effective until reboot. If you want this permanent
you need to modify autoexec.net file on router. You can edit
autoexec.net via the following command.

sys edit autoexec.net

This is a line editor. Find the line that reads "ip tcp mss 512" and
replace 512 with 0. After reboot you will only access the router via
serial cable. If you don't have serial cable don't do this!

THIS WILL ALSO BLOCK DDNS UPDATE. IF YOU USE DDNS, DO NOT USE THAT TWEAK!

Credit goes to Tolunay from dslreports.com"

(from www.netgear.org in the "How to" section)


On 03/Feb/2002, sq wrote:
s> Product:
s> Netgear Gateway Router RT314/RT311

(...)

s> Problem Description:
s> The Netgear RT314 Gateway Router (FW v3.25) runs a web server
s> (ZyXEL-RomPager/3.02) for easy user configuration. This web server
s> is vulnerable to the standard Cross Site Scripting problems seen in
s> multiple web servers (noted in CERT CA-2000-02 from two years ago).
s> Though it may be difficult to exploit (attacker would need to know
s> the internal address of the victim's router), it still opens the
s> possibility that an attacker could gain unauthorized access to the
s> router, and possibly reconfigure it to allow remote access.  

(...)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC