3APA3A, I was actually *agreeing* with you! lols. I think something got lost in translation! Sorry if I confused anyone really.
Good luck. 2009/6/17 Vladimir '3APA3A' Dubrovin <[email protected]>: > Adrian, > > If you can execute javascript - what is a reason to wait for user to > click the link? The message I reply stated there is no need to force > user to visit Web page and clicking the obfuscated link _sent_ to > admin is enougth. I replied in this case only GET request is possible. > Read the thread carefully before making conclusions. > > > --Wednesday, June 17, 2009, 2:58:15 AM, you wrote to > [email protected]: > > AP> you would be surprised how many people out there (mistakenly) still > AP> think that only GET requests are CSRFable! > > AP> 2009/6/16 Jeremi Gosney <[email protected]>: >>> Vladimir: "Where there is an open mind, there will always be a frontier." - >>> Charles Kettering >>> >>> <form method='post' >>> action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS'> >>> <input type='hidden' value=''> >>> </form> >>> <a href='http://www.google.com' >>> onclick='document.DoS.submit();'>Google</a> >>> >>> >>> >>> -----Original Message----- >>> From: [email protected] >>> [mailto:[email protected]] On Behalf Of >>> Vladimir Dubrovin >>> Sent: Tuesday, June 16, 2009 9:43 AM >>> To: sr. >>> Cc: [email protected] >>> Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability >>> >>> Dear sr., >>> >>> clicking on the link can not produce POST request, only GET, unless >>> there are some special conditions, like crossite scripting >>> vulnerability in the router. >>> >>> --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 >>> Router Remote DoS Vulnerability to [email protected]; >>> >>> s> it could still be carried out remotely by obfuscating a link sent to the >>> s> "admin" of the device. this would obviously rely on the admin clicking on >>> s> the link, and is more of a phishing / social engineering style attack. >>> this >>> s> would also rely on the router being setup with all of the default >>> internal >>> s> LAN ip's. >>> >>> s> sr. >>> >>> >>> s> 2009/6/16 Vladimir '3APA3A' Dubrovin <[email protected]> >>> >>>>> Dear Tom Neaves, >>>>> >>>>> It still can be exploited from Internet even if "remote management" is >>>>> only accessible from local network. If you can trick user to visit Web >>>>> page, you can place a form on this page which targets to router and >>>>> request to router is issued from victim's browser. >>>>> >>>>> >>>>> --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to [email protected]: >>>>> >>>>> TN> Hi. >>>>> >>>>> TN> I see where you're going but I think you're missing the point a >>>>> little. >>>>> By >>>>> TN> *default* the web interface is enabled on the LAN and accessible by >>>>> anyone >>>>> TN> on that LAN and the "remote management" interface (for the Internet) >>>>> is >>>>> TN> turned off. If the "remote management" interface was enabled, >>>>> stopping >>>>> ICMP >>>>> TN> echo responses would not resolve this issue at all, turning the >>>>> interface >>>>> TN> off would do though (or restricting by IP, ...ack). The "remote >>>>> management" >>>>> TN> (love those quotes...) interface speaks over HTTP hence TCP so no >>>>> amount of >>>>> TN> dropping ICMP goodness will help with this. Anyhow, I am happy to >>>>> discuss >>>>> TN> this off list with you if its still not clear to save spamming >>>>> everyone's >>>>> TN> inboxes. :o) >>>>> >>>>> TN> Tom >>>>> >>>>> TN> ----- Original Message ----- >>>>> TN> From: Alaa El yazghi >>>>> TN> To: Tom Neaves >>>>> TN> Cc: [email protected] ; >>>>> [email protected] >>>>> TN> Sent: Monday, June 15, 2009 11:03 PM >>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >>>>> >>>>> >>>>> TN> I know and I understand. What I wanted to mean is that we can not >>>>> eventually >>>>> TN> acces to the web interface of a netgear router remotely if we cannot >>>>> localy. >>>>> TN> As for the DoS, it is simple to solve such attack from outside. We >>>>> just >>>>> TN> disable receiving pings (There is actually an option in even the >>>>> lowest >>>>> TN> series) and thus, we would be able to have a remote management without >>>>> ICMP >>>>> TN> requests. >>>>> >>>>> >>>>> >>>>> TN> 2009/6/15 Tom Neaves <[email protected]> >>>>> >>>>> TN> Hi. >>>>> >>>>> TN> I'm not quite sure of your question... >>>>> >>>>> TN> The DoS can be carried out remotely, however one mitigating factor >>>>> (which >>>>> TN> makes it a low risk as opposed to sirens and alarms...) is that its >>>>> turned >>>>> TN> off by default - you have to explicitly enable it under "Remote >>>>> Management" >>>>> TN> on the device if you want to access it/carry out the DoS over the >>>>> Internet. >>>>> TN> However, it is worth noting that anyone on your LAN can *remotely* >>>>> carry out >>>>> TN> this attack regardless of this management feature being on/off. >>>>> >>>>> TN> I hope this clarifies it for you. >>>>> >>>>> TN> Tom >>>>> TN> ----- Original Message ----- >>>>> TN> From: Alaa El yazghi >>>>> TN> To: Tom Neaves >>>>> TN> Cc: [email protected] ; >>>>> [email protected] >>>>> TN> Sent: Monday, June 15, 2009 10:45 PM >>>>> TN> Subject: Re: Netgear DG632 Router Remote DoS Vulnerability >>>>> >>>>> >>>>> TN> How can it be carried out remotely if it bugs localy? >>>>> >>>>> >>>>> TN> 2009/6/15 Tom Neaves <[email protected]> >>>>> >>>>> TN> Product Name: Netgear DG632 Router >>>>> TN> Vendor: http://www.netgear.com >>>>> TN> Date: 15 June, 2009 >>>>> TN> Author: [email protected] <[email protected]> >>>>> TN> Original URL: >>>>> TN> http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt >>>>> TN> Discovered: 18 November, 2006 >>>>> TN> Disclosed: 15 June, 2009 >>>>> >>>>> TN> I. DESCRIPTION >>>>> >>>>> TN> The Netgear DG632 router has a web interface which runs on port 80. >>>>> This >>>>> TN> allows an admin to login and administer the device's settings. >>>>> However, >>>>> TN> a Denial of Service (DoS) vulnerability exists that causes the web >>>>> interface >>>>> TN> to crash and stop responding to further requests. >>>>> >>>>> TN> II. DETAILS >>>>> >>>>> TN> Within the "/cgi-bin/" directory of the administrative web interface >>>>> exists >>>>> TN> a >>>>> TN> file called "firmwarecfg". This file is used for firmware upgrades. >>>>> A >>>>> HTTP >>>>> TN> POST >>>>> TN> request for this file causes the web server to hang. The web server >>>>> will >>>>> TN> stop >>>>> TN> responding to requests and the administrative interface will become >>>>> TN> inaccessible >>>>> TN> until the router is physically restarted. >>>>> >>>>> TN> While the router will still continue to function at the network level, >>>>> i.e. >>>>> TN> it will >>>>> TN> still respond to ICMP echo requests and issue leases via DHCP, an >>>>> TN> administrator will >>>>> TN> no longer be able to interact with the administrative web interface. >>>>> >>>>> TN> This attack can be carried out internally within the network, or over >>>>> the >>>>> TN> Internet >>>>> TN> if the administrator has enabled the "Remote Management" feature on >>>>> the >>>>> TN> router. >>>>> >>>>> TN> Affected Versions: Firmware V3.4.0_ap (others unknown) >>>>> >>>>> TN> III. VENDOR RESPONSE >>>>> >>>>> TN> 12 June, 2009 - Contacted vendor. >>>>> TN> 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life >>>>> TN> product and is no >>>>> TN> longer supported in a production and development sense, as such, there >>>>> will >>>>> TN> be no further >>>>> TN> firmware releases to resolve this issue. >>>>> >>>>> TN> IV. CREDIT >>>>> >>>>> TN> Discovered by Tom Neaves >>>>> >>>>> TN> _______________________________________________ >>>>> TN> Full-Disclosure - We believe in it. >>>>> TN> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> TN> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>>> >>>>> -- >>>>> Skype: Vladimir.Dubrovin >>>>> ~/ZARAZA http://securityvulns.com/ >>>>> Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в >>>>> них >>>>> поверили. (Твен) >>>>> >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>> >>> >>> >>> -- >>> Vladimir Dubrovin Systems Engineer >>> http://nnov.stream.ru Stream-TV >>> http://securityvulns.ru Nizhny Novgorod, Russia >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ > > AP> _______________________________________________ > AP> Full-Disclosure - We believe in it. > AP> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > AP> Hosted and sponsored by Secunia - http://secunia.com/ > > > -- > Skype: Vladimir.Dubrovin > ~/ZARAZA http://securityvulns.com/ > Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
