you would be surprised how many people out there (mistakenly) still think that only GET requests are CSRFable!
2009/6/16 Jeremi Gosney <[email protected]>: > Vladimir: "Where there is an open mind, there will always be a frontier." - > Charles Kettering > > <form method='post' action='http://192.168.1.1/cgi-bin/firmwarecfg' > name='DoS'> > <input type='hidden' value=''> > </form> > <a href='http://www.google.com' onclick='document.DoS.submit();'>Google</a> > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Vladimir > Dubrovin > Sent: Tuesday, June 16, 2009 9:43 AM > To: sr. > Cc: [email protected] > Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability > > Dear sr., > > clicking on the link can not produce POST request, only GET, unless > there are some special conditions, like crossite scripting > vulnerability in the router. > > --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote > DoS Vulnerability to [email protected]; > > s> it could still be carried out remotely by obfuscating a link sent to the > s> "admin" of the device. this would obviously rely on the admin clicking on > s> the link, and is more of a phishing / social engineering style attack. this > s> would also rely on the router being setup with all of the default internal > s> LAN ip's. > > s> sr. > > > s> 2009/6/16 Vladimir '3APA3A' Dubrovin <[email protected]> > >>> Dear Tom Neaves, >>> >>> It still can be exploited from Internet even if "remote management" is >>> only accessible from local network. If you can trick user to visit Web >>> page, you can place a form on this page which targets to router and >>> request to router is issued from victim's browser. >>> >>> >>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to [email protected]: >>> >>> TN> Hi. >>> >>> TN> I see where you're going but I think you're missing the point a little. >>> By >>> TN> *default* the web interface is enabled on the LAN and accessible by >>> anyone >>> TN> on that LAN and the "remote management" interface (for the Internet) is >>> TN> turned off. If the "remote management" interface was enabled, stopping >>> ICMP >>> TN> echo responses would not resolve this issue at all, turning the >>> interface >>> TN> off would do though (or restricting by IP, ...ack). The "remote >>> management" >>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >>> amount of >>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >>> discuss >>> TN> this off list with you if its still not clear to save spamming >>> everyone's >>> TN> inboxes. :o) >>> >>> TN> Tom >>> >>> TN> ----- Original Message ----- >>> TN> From: Alaa El yazghi >>> TN> To: Tom Neaves >>> TN> Cc: [email protected] ; [email protected] >>> TN> Sent: Monday, June 15, 2009 11:03 PM >>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >>> >>> >>> TN> I know and I understand. What I wanted to mean is that we can not >>> eventually >>> TN> acces to the web interface of a netgear router remotely if we cannot >>> localy. >>> TN> As for the DoS, it is simple to solve such attack from outside. We >>> just >>> TN> disable receiving pings (There is actually an option in even the lowest >>> TN> series) and thus, we would be able to have a remote management without >>> ICMP >>> TN> requests. >>> >>> >>> >>> TN> 2009/6/15 Tom Neaves <[email protected]> >>> >>> TN> Hi. >>> >>> TN> I'm not quite sure of your question... >>> >>> TN> The DoS can be carried out remotely, however one mitigating factor >>> (which >>> TN> makes it a low risk as opposed to sirens and alarms...) is that its >>> turned >>> TN> off by default - you have to explicitly enable it under "Remote >>> Management" >>> TN> on the device if you want to access it/carry out the DoS over the >>> Internet. >>> TN> However, it is worth noting that anyone on your LAN can *remotely* >>> carry out >>> TN> this attack regardless of this management feature being on/off. >>> >>> TN> I hope this clarifies it for you. >>> >>> TN> Tom >>> TN> ----- Original Message ----- >>> TN> From: Alaa El yazghi >>> TN> To: Tom Neaves >>> TN> Cc: [email protected] ; [email protected] >>> TN> Sent: Monday, June 15, 2009 10:45 PM >>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >>> >>> >>> TN> How can it be carried out remotely if it bugs localy? >>> >>> >>> TN> 2009/6/15 Tom Neaves <[email protected]> >>> >>> TN> Product Name: Netgear DG632 Router >>> TN> Vendor: http://www.netgear.com >>> TN> Date: 15 June, 2009 >>> TN> Author: [email protected] <[email protected]> >>> TN> Original URL: >>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt >>> TN> Discovered: 18 November, 2006 >>> TN> Disclosed: 15 June, 2009 >>> >>> TN> I. DESCRIPTION >>> >>> TN> The Netgear DG632 router has a web interface which runs on port 80. >>> This >>> TN> allows an admin to login and administer the device's settings. >>> However, >>> TN> a Denial of Service (DoS) vulnerability exists that causes the web >>> interface >>> TN> to crash and stop responding to further requests. >>> >>> TN> II. DETAILS >>> >>> TN> Within the "/cgi-bin/" directory of the administrative web interface >>> exists >>> TN> a >>> TN> file called "firmwarecfg". This file is used for firmware upgrades. A >>> HTTP >>> TN> POST >>> TN> request for this file causes the web server to hang. The web server >>> will >>> TN> stop >>> TN> responding to requests and the administrative interface will become >>> TN> inaccessible >>> TN> until the router is physically restarted. >>> >>> TN> While the router will still continue to function at the network level, >>> i.e. >>> TN> it will >>> TN> still respond to ICMP echo requests and issue leases via DHCP, an >>> TN> administrator will >>> TN> no longer be able to interact with the administrative web interface. >>> >>> TN> This attack can be carried out internally within the network, or over >>> the >>> TN> Internet >>> TN> if the administrator has enabled the "Remote Management" feature on the >>> TN> router. >>> >>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown) >>> >>> TN> III. VENDOR RESPONSE >>> >>> TN> 12 June, 2009 - Contacted vendor. >>> TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life >>> TN> product and is no >>> TN> longer supported in a production and development sense, as such, there >>> will >>> TN> be no further >>> TN> firmware releases to resolve this issue. >>> >>> TN> IV. CREDIT >>> >>> TN> Discovered by Tom Neaves >>> >>> TN> _______________________________________________ >>> TN> Full-Disclosure - We believe in it. >>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> TN> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >>> -- >>> Skype: Vladimir.Dubrovin >>> ~/ZARAZA http://securityvulns.com/ >>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них >>> поверили. (Твен) >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> > > > > -- > Vladimir Dubrovin Systems Engineer > http://nnov.stream.ru Stream-TV > http://securityvulns.ru Nizhny Novgorod, Russia > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
