it could still be carried out remotely by obfuscating a link sent to the "admin" of the device. this would obviously rely on the admin clicking on the link, and is more of a phishing / social engineering style attack. this would also rely on the router being setup with all of the default internal LAN ip's.
sr. 2009/6/16 Vladimir '3APA3A' Dubrovin <3ap...@security.nnov.ru> > Dear Tom Neaves, > > It still can be exploited from Internet even if "remote management" is > only accessible from local network. If you can trick user to visit Web > page, you can place a form on this page which targets to router and > request to router is issued from victim's browser. > > > --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: > > TN> Hi. > > TN> I see where you're going but I think you're missing the point a little. > By > TN> *default* the web interface is enabled on the LAN and accessible by > anyone > TN> on that LAN and the "remote management" interface (for the Internet) is > TN> turned off. If the "remote management" interface was enabled, stopping > ICMP > TN> echo responses would not resolve this issue at all, turning the > interface > TN> off would do though (or restricting by IP, ...ack). The "remote > management" > TN> (love those quotes...) interface speaks over HTTP hence TCP so no > amount of > TN> dropping ICMP goodness will help with this. Anyhow, I am happy to > discuss > TN> this off list with you if its still not clear to save spamming > everyone's > TN> inboxes. :o) > > TN> Tom > > TN> ----- Original Message ----- > TN> From: Alaa El yazghi > TN> To: Tom Neaves > TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk > TN> Sent: Monday, June 15, 2009 11:03 PM > TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability > > > TN> I know and I understand. What I wanted to mean is that we can not > eventually > TN> acces to the web interface of a netgear router remotely if we cannot > localy. > TN> As for the DoS, it is simple to solve such attack from outside. We > just > TN> disable receiving pings (There is actually an option in even the lowest > TN> series) and thus, we would be able to have a remote management without > ICMP > TN> requests. > > > > TN> 2009/6/15 Tom Neaves <t...@tomneaves.co.uk> > > TN> Hi. > > TN> I'm not quite sure of your question... > > TN> The DoS can be carried out remotely, however one mitigating factor > (which > TN> makes it a low risk as opposed to sirens and alarms...) is that its > turned > TN> off by default - you have to explicitly enable it under "Remote > Management" > TN> on the device if you want to access it/carry out the DoS over the > Internet. > TN> However, it is worth noting that anyone on your LAN can *remotely* > carry out > TN> this attack regardless of this management feature being on/off. > > TN> I hope this clarifies it for you. > > TN> Tom > TN> ----- Original Message ----- > TN> From: Alaa El yazghi > TN> To: Tom Neaves > TN> Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk > TN> Sent: Monday, June 15, 2009 10:45 PM > TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability > > > TN> How can it be carried out remotely if it bugs localy? > > > TN> 2009/6/15 Tom Neaves <t...@tomneaves.co.uk> > > TN> Product Name: Netgear DG632 Router > TN> Vendor: http://www.netgear.com > TN> Date: 15 June, 2009 > TN> Author: t...@tomneaves.co.uk <t...@tomneaves.co.uk> > TN> Original URL: > TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt > TN> Discovered: 18 November, 2006 > TN> Disclosed: 15 June, 2009 > > TN> I. DESCRIPTION > > TN> The Netgear DG632 router has a web interface which runs on port 80. > This > TN> allows an admin to login and administer the device's settings. > However, > TN> a Denial of Service (DoS) vulnerability exists that causes the web > interface > TN> to crash and stop responding to further requests. > > TN> II. DETAILS > > TN> Within the "/cgi-bin/" directory of the administrative web interface > exists > TN> a > TN> file called "firmwarecfg". This file is used for firmware upgrades. A > HTTP > TN> POST > TN> request for this file causes the web server to hang. The web server > will > TN> stop > TN> responding to requests and the administrative interface will become > TN> inaccessible > TN> until the router is physically restarted. > > TN> While the router will still continue to function at the network level, > i.e. > TN> it will > TN> still respond to ICMP echo requests and issue leases via DHCP, an > TN> administrator will > TN> no longer be able to interact with the administrative web interface. > > TN> This attack can be carried out internally within the network, or over > the > TN> Internet > TN> if the administrator has enabled the "Remote Management" feature on the > TN> router. > > TN> Affected Versions: Firmware V3.4.0_ap (others unknown) > > TN> III. VENDOR RESPONSE > > TN> 12 June, 2009 - Contacted vendor. > TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life > TN> product and is no > TN> longer supported in a production and development sense, as such, there > will > TN> be no further > TN> firmware releases to resolve this issue. > > TN> IV. CREDIT > > TN> Discovered by Tom Neaves > > TN> _______________________________________________ > TN> Full-Disclosure - We believe in it. > TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > TN> Hosted and sponsored by Secunia - http://secunia.com/ > > > -- > Skype: Vladimir.Dubrovin > ~/ZARAZA http://securityvulns.com/ > Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них > поверили. (Твен) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/