Introduction Tested Vulnerable Vendor Discussion PoC Stuff
Introduction
There is a problem in the way Netgear routers log outgoing HTTP connections which could lead to log corruption as well as dangerous character or script injection.
Tested Vulnerable
Model: RP114 Firmware: V3.26
Though this problem has only been confirmed for the above model it is believed other models with the same or similar web administration interface will also prove to be vulnerable. This assumption is made due to the similar feature descriptions seen at the vendor's web site.
Vendor
We have been informed during previous communications with Netgear support staff that the RP114 is a "discontinued device" and there is no intention by Netgear to patch. However, due to the possible cross-model nature of this problem Netgear were informed.
Website: www.netgear.com Support contact: support@netgear.com Date informed: 07.04.03 First response: 09.04.03 Action taken: Referred to a HTML feedback form Release date: 16.04.03
Official vendor response:
"Your request may be best addressed at Netgear's Engineer level at this link:
http://www.expressresponse.com/cgi-bin/netgear2/displayfile.cgi?displayfile=feedback_form.html&level=main&prodfamily=&product= "
Nothing futher was received from the vendor after the initial response (09.04.03).
Discussion
The problem lies in the way the device logs hostnames.
In the web administration interface the admin has access to content filter logs. The device logs all unique outgoing TCP connections with a destination port of 80 by default. The log records things like date and time, source IP address and destination host. Unfortunately, instead of the device independently resolving the hostname, the log entry is taken from the client supplied HTTP request.
The HTTP query does not have to be successful for the log to be written, meaning any data can be included.
This problem allows for various types of attack against the logging mechanism. We also believe attacks could be launched against the Admin account.
It should also be mentioned that this problem can be exacerbated if the email log alert option is configured (non-default). This could extend the scope of possible attacks to MUAs and other clients.
PoC
To test if your Netgear device is vulnerable try:
echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80
Then check the content filter logs in the advanced menu of your Netgear router. You should see a connection to host vulnerable instead of www.netgear.com.
Stuff
For a properly formatted version of this paper try: http://elaboration.8bit.co.uk/projects/texts/advisories/netgear.logging.vulnerability.140403.txt
_________________________________________________________________ On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/mobile
