SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   NETGEAR Router Vendors:   NETGEAR
NETGEAR RP114 Router Input Validation Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks Against Administrators
SecurityTracker Alert ID:  1006587
SecurityTracker URL:  http://securitytracker.com/id/1006587
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 16 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information

Version(s): Model RP114, Firmware version 3.26
Description:   A vulnerability was reported in the logging function of some NETGEAR routers. A remote user can conduct cross-site scripting attacks against router administrators.

It is reported that, by default, the device logs outgoing TCP connections destined for port 80. According to the report, the logged hostname is based on the user-supplied 'Host' HTTP header field and any data can be written to the log via this field. The log entry is recorded even if the connection is not completed.

A remote user could submit arbitrary scripting code within the Host field. Then, when an administrator views the log file, arbitrary scripting code will be executed by the target user's browser. The code will originate from the router and will run in the security context of the router. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the router, access data recently submitted by the target user via web form to the router's administration interface, or take actions on the administration interface acting as the target user.

Impact:   A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the router, access data recently submitted by the target user via web form to the router's administrative interface, or take actions on the router acting as the target user.
Solution:   No solution was available at the time of this entry. According to the report, the vendor has indicated that the RP114 is a "discontinued device" and the vendor does not intend to offer a patch.
Vendor URL:  www.netgear.com/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  Netgear Logging Vulnerability


  Netgear logging vulnerability



  Introduction
  Tested Vulnerable
  Vendor
  Discussion
  PoC
  Stuff


  Introduction

  		There is a problem in the way Netgear routers log outgoing
		HTTP connections which could lead to log corruption as well
		as dangerous character or script injection.

  Tested Vulnerable

  		Model: RP114	Firmware: V3.26

		Though this problem has only been confirmed for the above
		model it is believed other models with the same or similar
		web administration interface will also prove to be
		vulnerable.  This assumption is made due to the similar
		feature descriptions seen at the vendor's web site.

  Vendor

		We have been informed during previous communications with
		Netgear support staff that the RP114 is a "discontinued
		device" and there is no intention by Netgear to patch.
		However, due to the possible cross-model nature of this
		problem Netgear were informed.

		Website:		www.netgear.com
		Support contact:		support@netgear.com
		Date informed:		07.04.03
		First response:		09.04.03
		Action taken:		Referred to a HTML feedback form
		Release date:		16.04.03

		Official vendor response:
		 "Your request may be best addressed at Netgear's Engineer level at this 
link:
		  
http://www.expressresponse.com/cgi-bin/netgear2/displayfile.cgi?displayfile=feedback_form.html&level=main&prodfamily=&product= 
"

		Nothing futher was received from the vendor after the initial
		response (09.04.03).

  Discussion

  		The problem lies in the way the device logs hostnames.

		In the web administration interface the admin has access to
		content filter logs.  The device logs all unique outgoing TCP
		connections with a destination port of 80 by default.  The
		log records things like date and time, source IP address and
		destination host.  Unfortunately, instead of the device
		independently resolving the hostname, the log entry is taken
		from the client supplied HTTP request.

		The HTTP query does not have to be successful for the log to
		be written, meaning any data can be included.

		This problem allows for various types of attack against the
		logging mechanism.  We also believe attacks could be launched
		against the Admin account.

		It should also be mentioned that this problem can be
		exacerbated if the email log alert option is configured
		(non-default).  This could extend the scope of possible
		attacks to MUAs and other clients.

  PoC

		To test if your Netgear device is vulnerable try:

		echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80

		Then check the content filter logs in the advanced menu of
		your Netgear router.  You should see a connection to host
		vulnerable instead of www.netgear.com.

  Stuff

   		For a properly formatted version of this paper try:
		http://elaboration.8bit.co.uk/projects/texts/advisories/netgear.logging.vulnerability.140403.txt













_________________________________________________________________
On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/mobile

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC