NETGEAR RP114 Router Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks Against Administrators
SecurityTracker Alert ID: 1006587|
SecurityTracker URL: http://securitytracker.com/id/1006587
(Links to External Site)
Date: Apr 16 2003
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Version(s): Model RP114, Firmware version 3.26|
A vulnerability was reported in the logging function of some NETGEAR routers. A remote user can conduct cross-site scripting attacks against router administrators.|
It is reported that, by default, the device logs outgoing TCP connections destined for port 80. According to the report, the logged hostname is based on the user-supplied 'Host' HTTP header field and any data can be written to the log via this field. The log entry is recorded even if the connection is not completed.
A remote user could submit arbitrary scripting code within the Host field. Then, when an administrator views the log file, arbitrary scripting code will be executed by the target user's browser. The code will originate from the router and will run in the security context of the router. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the router, access data recently submitted by the target user via web form to the router's administration interface, or take actions on the administration interface acting as the target user.
A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the router, access data recently submitted by the target user via web form to the router's administrative interface, or take actions on the router acting as the target user.|
No solution was available at the time of this entry. According to the report, the vendor has indicated that the RP114 is a "discontinued device" and the vendor does not intend to offer a patch.|
Vendor URL: www.netgear.com/ (Links to External Site)
Input validation error|
Source Message Contents
Subject: Netgear Logging Vulnerability|
Netgear logging vulnerability
There is a problem in the way Netgear routers log outgoing
HTTP connections which could lead to log corruption as well
as dangerous character or script injection.
Model: RP114 Firmware: V3.26
Though this problem has only been confirmed for the above
model it is believed other models with the same or similar
web administration interface will also prove to be
vulnerable. This assumption is made due to the similar
feature descriptions seen at the vendor's web site.
We have been informed during previous communications with
Netgear support staff that the RP114 is a "discontinued
device" and there is no intention by Netgear to patch.
However, due to the possible cross-model nature of this
problem Netgear were informed.
Support contact: firstname.lastname@example.org
Date informed: 07.04.03
First response: 09.04.03
Action taken: Referred to a HTML feedback form
Release date: 16.04.03
Official vendor response:
"Your request may be best addressed at Netgear's Engineer level at this
Nothing futher was received from the vendor after the initial
The problem lies in the way the device logs hostnames.
In the web administration interface the admin has access to
content filter logs. The device logs all unique outgoing TCP
connections with a destination port of 80 by default. The
log records things like date and time, source IP address and
destination host. Unfortunately, instead of the device
independently resolving the hostname, the log entry is taken
from the client supplied HTTP request.
The HTTP query does not have to be successful for the log to
be written, meaning any data can be included.
This problem allows for various types of attack against the
logging mechanism. We also believe attacks could be launched
against the Admin account.
It should also be mentioned that this problem can be
exacerbated if the email log alert option is configured
(non-default). This could extend the scope of possible
attacks to MUAs and other clients.
To test if your Netgear device is vulnerable try:
echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80
Then check the content filter logs in the advanced menu of
your Netgear router. You should see a connection to host
vulnerable instead of www.netgear.com.
For a properly formatted version of this paper try:
On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/mobile