Dear Tom Neaves, It still can be exploited from Internet even if "remote management" is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyazghi@xxxxxxxxx: TN> Hi. TN> I see where you're going but I think you're missing the point a little. By TN> *default* the web interface is enabled on the LAN and accessible by anyone TN> on that LAN and the "remote management" interface (for the Internet) is TN> turned off. If the "remote management" interface was enabled, stopping ICMP TN> echo responses would not resolve this issue at all, turning the interface TN> off would do though (or restricting by IP, ...ack). The "remote management" TN> (love those quotes...) interface speaks over HTTP hence TCP so no amount of TN> dropping ICMP goodness will help with this. Anyhow, I am happy to discuss TN> this off list with you if its still not clear to save spamming everyone's TN> inboxes. :o) TN> Tom TN> ----- Original Message ----- TN> From: Alaa El yazghi TN> To: Tom Neaves TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx TN> Sent: Monday, June 15, 2009 11:03 PM TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN> I know and I understand. What I wanted to mean is that we can not eventually TN> acces to the web interface of a netgear router remotely if we cannot localy. TN> As for the DoS, it is simple to solve such attack from outside. We just TN> disable receiving pings (There is actually an option in even the lowest TN> series) and thus, we would be able to have a remote management without ICMP TN> requests. TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx> TN> Hi. TN> I'm not quite sure of your question... TN> The DoS can be carried out remotely, however one mitigating factor (which TN> makes it a low risk as opposed to sirens and alarms...) is that its turned TN> off by default - you have to explicitly enable it under "Remote Management" TN> on the device if you want to access it/carry out the DoS over the Internet. TN> However, it is worth noting that anyone on your LAN can *remotely* carry out TN> this attack regardless of this management feature being on/off. TN> I hope this clarifies it for you. TN> Tom TN> ----- Original Message ----- TN> From: Alaa El yazghi TN> To: Tom Neaves TN> Cc: bugtraq@xxxxxxxxxxxxxxxxx ; full-disclosure@xxxxxxxxxxxxxxxxx TN> Sent: Monday, June 15, 2009 10:45 PM TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN> How can it be carried out remotely if it bugs localy? TN> 2009/6/15 Tom Neaves <tom@xxxxxxxxxxxxxxx> TN> Product Name: Netgear DG632 Router TN> Vendor: http://www.netgear.com TN> Date: 15 June, 2009 TN> Author: tom@xxxxxxxxxxxxxxx <tom@xxxxxxxxxxxxxxx> TN> Original URL: TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN> Discovered: 18 November, 2006 TN> Disclosed: 15 June, 2009 TN> I. DESCRIPTION TN> The Netgear DG632 router has a web interface which runs on port 80. This TN> allows an admin to login and administer the device's settings. However, TN> a Denial of Service (DoS) vulnerability exists that causes the web interface TN> to crash and stop responding to further requests. TN> II. DETAILS TN> Within the "/cgi-bin/" directory of the administrative web interface exists TN> a TN> file called "firmwarecfg". This file is used for firmware upgrades. A HTTP TN> POST TN> request for this file causes the web server to hang. The web server will TN> stop TN> responding to requests and the administrative interface will become TN> inaccessible TN> until the router is physically restarted. TN> While the router will still continue to function at the network level, i.e. TN> it will TN> still respond to ICMP echo requests and issue leases via DHCP, an TN> administrator will TN> no longer be able to interact with the administrative web interface. TN> This attack can be carried out internally within the network, or over the TN> Internet TN> if the administrator has enabled the "Remote Management" feature on the TN> router. TN> Affected Versions: Firmware V3.4.0_ap (others unknown) TN> III. VENDOR RESPONSE TN> 12 June, 2009 - Contacted vendor. TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life TN> product and is no TN> longer supported in a production and development sense, as such, there will TN> be no further TN> firmware releases to resolve this issue. TN> IV. CREDIT TN> Discovered by Tom Neaves TN> _______________________________________________ TN> Full-Disclosure - We believe in it. TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html TN> Hosted and sponsored by Secunia - http://secunia.com/ -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них поверили. (Твен)
