Adrian, If you can execute javascript - what is a reason to wait for user to click the link? The message I reply stated there is no need to force user to visit Web page and clicking the obfuscated link _sent_ to admin is enougth. I replied in this case only GET request is possible. Read the thread carefully before making conclusions. --Wednesday, June 17, 2009, 2:58:15 AM, you wrote to [email protected]:
AP> you would be surprised how many people out there (mistakenly) still AP> think that only GET requests are CSRFable! AP> 2009/6/16 Jeremi Gosney <[email protected]>: >> Vladimir: "Where there is an open mind, there will always be a frontier." - >> Charles Kettering >> >> <form method='post' >> action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'> >> <input type='hidden' value=''> >> </form> >> <a href='http://www.google.com' >> onclick='document.DoS.submit();'>Google</a> >> >> >> >> -----Original Message----- >> From: [email protected] >> [mailto:[email protected]] On Behalf Of >> Vladimir Dubrovin >> Sent: Tuesday, June 16, 2009 9:43 AM >> To: sr. >> Cc: [email protected] >> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability >> >> Dear sr., >> >> clicking on the link can not produce POST request, only GET, unless >> there are some special conditions, like crossite scripting >> vulnerability in the router. >> >> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 >> Router Remote DoS Vulnerability to [email protected]; >> >> s> it could still be carried out remotely by obfuscating a link sent to the >> s> "admin" of the device. this would obviously rely on the admin clicking on >> s> the link, and is more of a phishing / social engineering style attack. >> this >> s> would also rely on the router being setup with all of the default internal >> s> LAN ip's. >> >> s> sr. >> >> >> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <[email protected]> >> >>>> Dear Tom Neaves, >>>> >>>> It still can be exploited from Internet even if "remote management" is >>>> only accessible from local network. If you can trick user to visit Web >>>> page, you can place a form on this page which targets to router and >>>> request to router is issued from victim's browser. >>>> >>>> >>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to [email protected]: >>>> >>>> TN> Hi. >>>> >>>> TN> I see where you're going but I think you're missing the point a little. >>>> By >>>> TN> *default* the web interface is enabled on the LAN and accessible by >>>> anyone >>>> TN> on that LAN and the "remote management" interface (for the Internet) is >>>> TN> turned off. If the "remote management" interface was enabled, stopping >>>> ICMP >>>> TN> echo responses would not resolve this issue at all, turning the >>>> interface >>>> TN> off would do though (or restricting by IP, ...ack). The "remote >>>> management" >>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >>>> amount of >>>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >>>> discuss >>>> TN> this off list with you if its still not clear to save spamming >>>> everyone's >>>> TN> inboxes. :o) >>>> >>>> TN> Tom >>>> >>>> TN> ----- Original Message ----- >>>> TN> From: Alaa El yazghi >>>> TN> To: Tom Neaves >>>> TN> Cc: [email protected] ; >>>> [email protected] >>>> TN> Sent: Monday, June 15, 2009 11:03 PM >>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >>>> >>>> >>>> TN> I know and I understand. What I wanted to mean is that we can not >>>> eventually >>>> TN> acces to the web interface of a netgear router remotely if we cannot >>>> localy. >>>> TN> As for the DoS, it is simple to solve such attack from outside. We >>>> just >>>> TN> disable receiving pings (There is actually an option in even the lowest >>>> TN> series) and thus, we would be able to have a remote management without >>>> ICMP >>>> TN> requests. >>>> >>>> >>>> >>>> TN> 2009/6/15 Tom Neaves <[email protected]> >>>> >>>> TN> Hi. >>>> >>>> TN> I'm not quite sure of your question... >>>> >>>> TN> The DoS can be carried out remotely, however one mitigating factor >>>> (which >>>> TN> makes it a low risk as opposed to sirens and alarms...) is that its >>>> turned >>>> TN> off by default - you have to explicitly enable it under "Remote >>>> Management" >>>> TN> on the device if you want to access it/carry out the DoS over the >>>> Internet. >>>> TN> However, it is worth noting that anyone on your LAN can *remotely* >>>> carry out >>>> TN> this attack regardless of this management feature being on/off. >>>> >>>> TN> I hope this clarifies it for you. >>>> >>>> TN> Tom >>>> TN> ----- Original Message ----- >>>> TN> From: Alaa El yazghi >>>> TN> To: Tom Neaves >>>> TN> Cc: [email protected] ; >>>> [email protected] >>>> TN> Sent: Monday, June 15, 2009 10:45 PM >>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >>>> >>>> >>>> TN> How can it be carried out remotely if it bugs localy? >>>> >>>> >>>> TN> 2009/6/15 Tom Neaves <[email protected]> >>>> >>>> TN> Product Name: Netgear DG632 Router >>>> TN> Vendor: http://www.netgear.com >>>> TN> Date: 15 June, 2009 >>>> TN> Author: [email protected] <[email protected]> >>>> TN> Original URL: >>>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt >>>> TN> Discovered: 18 November, 2006 >>>> TN> Disclosed: 15 June, 2009 >>>> >>>> TN> I. DESCRIPTION >>>> >>>> TN> The Netgear DG632 router has a web interface which runs on port 80. >>>> This >>>> TN> allows an admin to login and administer the device's settings. >>>> However, >>>> TN> a Denial of Service (DoS) vulnerability exists that causes the web >>>> interface >>>> TN> to crash and stop responding to further requests. >>>> >>>> TN> II. DETAILS >>>> >>>> TN> Within the "/cgi-bin/" directory of the administrative web interface >>>> exists >>>> TN> a >>>> TN> file called "firmwarecfg". This file is used for firmware upgrades. A >>>> HTTP >>>> TN> POST >>>> TN> request for this file causes the web server to hang. The web server >>>> will >>>> TN> stop >>>> TN> responding to requests and the administrative interface will become >>>> TN> inaccessible >>>> TN> until the router is physically restarted. >>>> >>>> TN> While the router will still continue to function at the network level, >>>> i.e. >>>> TN> it will >>>> TN> still respond to ICMP echo requests and issue leases via DHCP, an >>>> TN> administrator will >>>> TN> no longer be able to interact with the administrative web interface. >>>> >>>> TN> This attack can be carried out internally within the network, or over >>>> the >>>> TN> Internet >>>> TN> if the administrator has enabled the "Remote Management" feature on the >>>> TN> router. >>>> >>>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown) >>>> >>>> TN> III. VENDOR RESPONSE >>>> >>>> TN> 12 June, 2009 - Contacted vendor. >>>> TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life >>>> TN> product and is no >>>> TN> longer supported in a production and development sense, as such, there >>>> will >>>> TN> be no further >>>> TN> firmware releases to resolve this issue. >>>> >>>> TN> IV. CREDIT >>>> >>>> TN> Discovered by Tom Neaves >>>> >>>> TN> _______________________________________________ >>>> TN> Full-Disclosure - We believe in it. >>>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> TN> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>>> >>>> -- >>>> Skype: Vladimir.Dubrovin >>>> ~/ZARAZA http://securityvulns.com/ >>>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них >>>> поверили. (Твен) >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >> >> >> >> -- >> Vladimir Dubrovin Systems Engineer >> http://nnov.stream.ru Stream-TV >> http://securityvulns.ru Nizhny Novgorod, Russia >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ AP> _______________________________________________ AP> Full-Disclosure - We believe in it. AP> Charter: http://lists.grok.org.uk/full-disclosure-charter.html AP> Hosted and sponsored by Secunia - http://secunia.com/ -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
