Netgear Logging Vulnerability

["{ }" <elaborate_ruse () hotmail com>]

 Netgear logging vulnerability



 Introduction
 Tested Vulnerable
 Vendor
 Discussion
 PoC
 Stuff


 Introduction

                There is a problem in the way Netgear routers log outgoing
                HTTP connections which could lead to log corruption as well
                as dangerous character or script injection.

 Tested Vulnerable

                Model: RP114    Firmware: V3.26

                Though this problem has only been confirmed for the above
                model it is believed other models with the same or similar
                web administration interface will also prove to be
                vulnerable.  This assumption is made due to the similar
                feature descriptions seen at the vendor's web site.

 Vendor

                We have been informed during previous communications with
                Netgear support staff that the RP114 is a "discontinued
                device" and there is no intention by Netgear to patch.
                However, due to the possible cross-model nature of this
                problem Netgear were informed.

                Website:                www.netgear.com
                Support contact:                support () netgear com
                Date informed:          07.04.03
                First response:         09.04.03
                Action taken:           Referred to a HTML feedback form
                Release date:           16.04.03

                Official vendor response:
		 "Your request may be best addressed at Netgear's Engineer level at this 
link:
		  
http://www.expressresponse.com/cgi-bin/netgear2/displayfile.cgi?displayfile=feedback_form.html&level=main&prodfamily=&product= 
"

                Nothing futher was received from the vendor after the initial
                response (09.04.03).

 Discussion

                The problem lies in the way the device logs hostnames.

                In the web administration interface the admin has access to
                content filter logs.  The device logs all unique outgoing TCP
                connections with a destination port of 80 by default.  The
                log records things like date and time, source IP address and
                destination host.  Unfortunately, instead of the device
                independently resolving the hostname, the log entry is taken
                from the client supplied HTTP request.

                The HTTP query does not have to be successful for the log to
                be written, meaning any data can be included.

                This problem allows for various types of attack against the
                logging mechanism.  We also believe attacks could be launched
                against the Admin account.

                It should also be mentioned that this problem can be
                exacerbated if the email log alert option is configured
                (non-default).  This could extend the scope of possible
                attacks to MUAs and other clients.

 PoC

                To test if your Netgear device is vulnerable try:

                echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80

                Then check the content filter logs in the advanced menu of
                your Netgear router.  You should see a connection to host
                vulnerable instead of www.netgear.com.

 Stuff

                For a properly formatted version of this paper try:
                http://elaboration.8bit.co.uk/projects/texts/advisories/netgear.logging.vulnerability.140403.txt













_________________________________________________________________
On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/mobile