Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
How can it be carried out remotely if it bugs localy? 2009/6/15 Tom Neaves t...@tomneaves.co.uk Product Name: Netgear DG632 Router Vendor: http://www.netgear.com Date: 15 June, 2009 Author: t...@tomneaves.co.uk t...@tomneaves.co.uk Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt Discovered: 18 November, 2006 Disclosed: 15 June, 2009 I. DESCRIPTION The Netgear DG632 router has a web interface which runs on port 80. This allows an admin to login and administer the device's settings. However, a Denial of Service (DoS) vulnerability exists that causes the web interface to crash and stop responding to further requests. II. DETAILS Within the /cgi-bin/ directory of the administrative web interface exists a file called firmwarecfg. This file is used for firmware upgrades. A HTTP POST request for this file causes the web server to hang. The web server will stop responding to requests and the administrative interface will become inaccessible until the router is physically restarted. While the router will still continue to function at the network level, i.e. it will still respond to ICMP echo requests and issue leases via DHCP, an administrator will no longer be able to interact with the administrative web interface. This attack can be carried out internally within the network, or over the Internet if the administrator has enabled the Remote Management feature on the router. Affected Versions: Firmware V3.4.0_ap (others unknown) III. VENDOR RESPONSE 12 June, 2009 - Contacted vendor. 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life product and is no longer supported in a production and development sense, as such, there will be no further firmware releases to resolve this issue. IV. CREDIT Discovered by Tom Neaves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
I know and I understand. What I wanted to mean is that we can not eventually acces to the web interface of a netgear router remotely if we cannot localy. As for the DoS, it is simple to solve such attack from outside. We just disable receiving pings (There is actually an option in even the lowest series) and thus, we would be able to have a remote management without ICMP requests. 2009/6/15 Tom Neaves t...@tomneaves.co.uk Hi. I'm not quite sure of your question... The DoS can be carried out remotely, however one mitigating factor (which makes it a low risk as opposed to sirens and alarms...) is that its turned off by default - you have to explicitly enable it under Remote Management on the device if you want to access it/carry out the DoS over the Internet. However, it is worth noting that anyone on your LAN can *remotely* carry out this attack regardless of this management feature being on/off. I hope this clarifies it for you. Tom - Original Message - *From:* Alaa El yazghi m.elyaz...@gmail.com *To:* Tom Neaves t...@tomneaves.co.uk *Cc:* bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk *Sent:* Monday, June 15, 2009 10:45 PM *Subject:* Re: Netgear DG632 Router Remote DoS Vulnerability How can it be carried out remotely if it bugs localy? 2009/6/15 Tom Neaves t...@tomneaves.co.uk Product Name: Netgear DG632 Router Vendor: http://www.netgear.com Date: 15 June, 2009 Author: t...@tomneaves.co.uk t...@tomneaves.co.uk Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt Discovered: 18 November, 2006 Disclosed: 15 June, 2009 I. DESCRIPTION The Netgear DG632 router has a web interface which runs on port 80. This allows an admin to login and administer the device's settings. However, a Denial of Service (DoS) vulnerability exists that causes the web interface to crash and stop responding to further requests. II. DETAILS Within the /cgi-bin/ directory of the administrative web interface exists a file called firmwarecfg. This file is used for firmware upgrades. A HTTP POST request for this file causes the web server to hang. The web server will stop responding to requests and the administrative interface will become inaccessible until the router is physically restarted. While the router will still continue to function at the network level, i.e. it will still respond to ICMP echo requests and issue leases via DHCP, an administrator will no longer be able to interact with the administrative web interface. This attack can be carried out internally within the network, or over the Internet if the administrator has enabled the Remote Management feature on the router. Affected Versions: Firmware V3.4.0_ap (others unknown) III. VENDOR RESPONSE 12 June, 2009 - Contacted vendor. 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life product and is no longer supported in a production and development sense, as such, there will be no further firmware releases to resolve this issue. IV. CREDIT Discovered by Tom Neaves ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [TZO-33-2009] Fprot generic bypass (TAR)
From the low-hanging-fruit-department F-prot generic TAR bypass / evasion Shameless plug : You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. Release mode: Coordinated but limited disclosure. Ref : [TZO-33-2009] - F-prot TAR bypass / evasion WWW : http://blog.zoller.lu/2009/06/advisory-frisk-f-prot-evasion-tar.html Vendor : http://www.f-prot.com Status : Current version not patched, next engine version will be patched in version 4.5.0. Vendor didn't reply if said version is now in ciculation. CVE : none provided Credit : Given in the History file OSVDB vendor entry: none [1] Security notification reaction rating : better than last time Notification to patch window : n+1 (no patch for current build) Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products (all versions up to 4.5.0 which is not released yet) - F-PROT AVES (High: complete bypass of engine) - F-PROT Antivirus for Windows (unknown) - F-PROT Antivirus for Windows on Mail Servers : (High: complete bypass of engine) - F-PROT Antivirus for Exchange (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 Mail Servers : (High: complete bypass of engine) - F-PROT Antivirus for Linux x86 File Servers : (High: complete bypass of engine) - F-PROT Antivirus for Solaris SPARC / Solaris x86 Mail Servers (High: complete bypass of engine) - F-PROT Milter - for example sendmail (High: complete bypass of engine) - F-PROT Antivirus for Linux on IBM zSeries (S/390) (High: complete bypass of engine) - F-Prot Antivirus for Linux x86 Workstations (unknown) OEM Partners affected : - Autentium (all versions) OEM Partners with unknown status : - Sendmail, Inc. - G-Data I. Background ~ Quote: FRISK Software International, established in 1993, is one of the world's leading companies in antivirus research and product development. FRISK Software produces the hugely popular F-Prot Antivirus products range offering unrivalled heuristic detection capabilities. In addition to this, the F-Prot AVES managed online e-mail security service filters away the nuisance of spam e-mail as well as viruses, worms and other malware that increasingly clog up inboxes and threaten data security. II. Description ~~~ The parsing engine can be bypassed by a specially crafted and formated TAR archive. III. Impact ~~~ A general description of the impact and nature of AV Bypasses/evasions can be read at : http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html The bug results in denying the engine the possibility to inspect code within TAR archives. There is no inspection of the content at all and hence the impossibility to detect malicious code. IV. Disclosure timeline ~ DD/MM/ 28/04/2009 : Send proof of concept, description the terms under which I cooperate and the planned disclosure date. No reply 11/05/2009 : Resending PoC file asking to please reply 20/05/2009 : Frisk replies that it was unable to extract the PoC file with tar and hence see no bypass. 20/05/2009 : Inform Frisk that the PoC extracts fine with Winzip 22/05/2009 : Frisk send a lenghty e-mail re-discussing bypasses/evasions 22/05/2009 : I state that I will not discuss this topic any further, everything has been said and written multiple times. Either Frisk patches or they do not. 22/05/2009 : Frisk states that the changes to the parsing code are minor i.e not relying on the checksum. The patch will be included in the next releaes candidate 4.5.0 and credit will be given in the History file Comment: I give it some time to 4.5.0 to be released. 10/06/2009 : Ask Frisk if 4.5.0 has been released now no reply 14/06/2009 : Release of this advisory [1] F-prot is encouraged to leave their security contact details at http://osvdb.org/vendor/1/Frisk%20Software%20International to facilate communication and reduce lost reports. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Am Montag 15 Juni 2009 schrieb Tom Neaves: Within the /cgi-bin/ directory of the administrative web interface exists a file called firmwarecfg. This file is used for firmware upgrades. A HTTP POST request for this file causes the web server to hang. The web server will stop responding to requests and the administrative interface will become inaccessible until the router is physically restarted. While the router will still continue to function at the network level, i.e. it will still respond to ICMP echo requests and issue leases via DHCP, an administrator will no longer be able to interact with the administrative web interface. This attack can be carried out internally within the network, or over the Internet if the administrator has enabled the Remote Management feature on the router. Don't have such a device for tests, but isn't it possible to exploit this remotely through CSRF even without Remote Management option? (i.e. put some javascript on a webpage sending a post request to the default ip of the router?) -- Hanno Böck Blog: http://www.hboeck.de/ GPG: 3DBD3B20 Jabber/Mail:ha...@hboeck.de http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt für CO2-Speicher http://tinyurl.com/dceu73 - Internetzensur stoppen! http://schokokeks.org - professional webhosting signature.asc Description: This is a digitally signed message part. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Dear Tom Neaves, It still can be exploited from Internet even if remote management is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: TN Hi. TN I see where you're going but I think you're missing the point a little. By TN *default* the web interface is enabled on the LAN and accessible by anyone TN on that LAN and the remote management interface (for the Internet) is TN turned off. If the remote management interface was enabled, stopping ICMP TN echo responses would not resolve this issue at all, turning the interface TN off would do though (or restricting by IP, ...ack). The remote management TN (love those quotes...) interface speaks over HTTP hence TCP so no amount of TN dropping ICMP goodness will help with this. Anyhow, I am happy to discuss TN this off list with you if its still not clear to save spamming everyone's TN inboxes. :o) TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 11:03 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN I know and I understand. What I wanted to mean is that we can not eventually TN acces to the web interface of a netgear router remotely if we cannot localy. TN As for the DoS, it is simple to solve such attack from outside. We just TN disable receiving pings (There is actually an option in even the lowest TN series) and thus, we would be able to have a remote management without ICMP TN requests. TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Hi. TN I'm not quite sure of your question... TN The DoS can be carried out remotely, however one mitigating factor (which TN makes it a low risk as opposed to sirens and alarms...) is that its turned TN off by default - you have to explicitly enable it under Remote Management TN on the device if you want to access it/carry out the DoS over the Internet. TN However, it is worth noting that anyone on your LAN can *remotely* carry out TN this attack regardless of this management feature being on/off. TN I hope this clarifies it for you. TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 10:45 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN How can it be carried out remotely if it bugs localy? TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Product Name: Netgear DG632 Router TN Vendor: http://www.netgear.com TN Date: 15 June, 2009 TN Author: t...@tomneaves.co.uk t...@tomneaves.co.uk TN Original URL: TN http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN Discovered: 18 November, 2006 TN Disclosed: 15 June, 2009 TN I. DESCRIPTION TN The Netgear DG632 router has a web interface which runs on port 80. This TN allows an admin to login and administer the device's settings. However, TN a Denial of Service (DoS) vulnerability exists that causes the web interface TN to crash and stop responding to further requests. TN II. DETAILS TN Within the /cgi-bin/ directory of the administrative web interface exists TN a TN file called firmwarecfg. This file is used for firmware upgrades. A HTTP TN POST TN request for this file causes the web server to hang. The web server will TN stop TN responding to requests and the administrative interface will become TN inaccessible TN until the router is physically restarted. TN While the router will still continue to function at the network level, i.e. TN it will TN still respond to ICMP echo requests and issue leases via DHCP, an TN administrator will TN no longer be able to interact with the administrative web interface. TN This attack can be carried out internally within the network, or over the TN Internet TN if the administrator has enabled the Remote Management feature on the TN router. TN Affected Versions: Firmware V3.4.0_ap (others unknown) TN III. VENDOR RESPONSE TN 12 June, 2009 - Contacted vendor. TN 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life TN product and is no TN longer supported in a production and development sense, as such, there will TN be no further TN firmware releases to resolve this issue. TN IV. CREDIT TN Discovered by Tom Neaves TN ___ TN Full-Disclosure - We believe in it. TN Charter: http://lists.grok.org.uk/full-disclosure-charter.html TN Hosted and sponsored by Secunia - http://secunia.com/ -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них поверили. (Твен) ___ Full-Disclosure - We believe in it. Charter:
[Full-disclosure] [TZO-40-2009] Clamav generic bypass (RAR, CAB, ZIP)
From the low-hanging-fruit-department Clamav generic evasion (RAR,CAB,ZIP) Shameless plug : You are invited to join the 2009 edition of HACK.LU, a small but concentrated luxemburgish security conference. More information : http://www.hack.lu - CFP is open, sponsorship is still possible and warmly welcomed. Release mode: Coordinated but limited disclosure. Ref : [TZO-40-2009] - Clamav generic evasion (RAR,CAB,ZIP) WWW : http://blog.zoller.lu/2009/05/advisory-clamav-generic-bypass.html Vendor : http://www.clamav.net http://www.sourcefire.com/products/clamav Status : Patched (in version 0.95.2) CVE : none provided Credit : Discovered - froggz 2005, Zoller 2007, ROGER Mickael 2009 Security notification reaction rating : good Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html Affected products : - ClamAV below 0.95.2 Affected systems: - MACOSX server, - IBM Secure E-mail Express Solution for System http://www.clamav.net/about/who-use-clamav/ I. Background ~ Quote: Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library. II. Description ~~~ The parsing engine can be bypassed by manipulating RAR,ZIP archives in a certain way that the Clamav engine cannot extract the content but the end user is able to. III. Impact ~~~ To know more about the impact and type of evasion, I updated the description at http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html IV. Disclosure timeline ~ DD/MM/ No timeline, nothing particular to note. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IVIZ-09-003] CA ARCserve Denial of Service
---
--
[ iViZ Security Advisory 09-00316/06/2009 ]
---
--
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
---
* Title: CA ARCserve Denial of Service
* Software: CA ARCserver Backup r12 SP1
--[ Synopsis:
CA ARCserve Backup is vulnerable to a Denial of Service
when a crafted packet is sent to the CA ARCserve Message
Engine Service.
--[ Affected Software:
* CA ARCserver Backup r12 SP1
* Others versions may also be affected
--[ Technical description:
CA ARCserrve is vulnerable to a Denial of Service when a crafted
RPC packet is sent to the Message engine service listening at
6503/TCP port.
The interface informations are as follows
[
uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838),
version(1.0)
]
interface mIDA_interface
{
/* opcode: 0x13 */
long (
[in] long arg_1,
[in] short arg_2,
[in][size_is(65536), length_is(65536)] char * arg_3,
[in] long arg_4,
[out] long * arg_5
);
}
When a crafted RPC packet with values such as
arg_1 = 0x1
arg_4 = 0x1
arg_3 = { a character array of 65536 }
will crash the message engine service. The bug exists in
the ASCORE module and there exists more than one way to
reach the buggy code.
Buggy code @ASCORE module of msgeng.exe process running at 6503/TCP port
2123A736 6A 00 PUSH 0
- Pushes 0x0
2123A738 55PUSH EBP
2123A739 E8 F20B CALL ASCORE.2123B330
2123A73E 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10]
#ASCORE.2123B330
2123B330 51PUSH ECX
2123B331 8B4C24 08 MOV ECX,DWORD PTR SS:[ESP+8] -
Copies
0x0 from stack to ECX
2123B335 8A81 1E01 MOV AL,BYTE PTR DS:[ECX+11E] - Bug:
Access Violation
2123B33B 3C 03 CMP AL,3
--[ Impact:
Denial of Service
--[ Vendor response:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209502
--[ Credits:
This vulnerability was discovered by Nibin Varghese from
iViZ Security Research Team
http://www.ivizsecurity.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [IVIZ-09-004] CA ARCserve Denial of Service
---
[ iViZ Security Advisory 09-004 16/06/2009 ]
---
iViZ Techno Solutions Pvt. Ltd.
http://www.ivizsecurity.com
---
* Title: CA ARCserve Denial of Service
* Software: CA ARCserver Backup r12 SP1
--[ Synopsis:
CA ARCserve Backup is vulnerable to a Denial of Service
when a crafted packet is sent to the CA ARCserve Message
Engine Service.
--[ Affected Software:
* CA ARCserver Backup r12 SP1
* Others versions may also be affected
--[ Technical description:
CA ARCserve is vulnerable to a Denial of Service when a crafted
RPC packet is sent to the Message engine service listening at
6503/TCP port.
The interface informations are as follows
[
uuid(dc246bf0-7a7a-11ce-9f88-00805fe43838),
version(1.0)
]
interface mIDA_interface
{
typedef struct struct_9 {
long elem_1;
long elem_2;
char * elem_3;
char * elem_4;
long elem_5;
long elem_6;
long elem_7;
long elem_8;
short elem_9;
short elem_10;
} struct_9 ;
/* opcode: 0x3B, */
long (
[in, out] struct struct_9 * arg_1
);
}
A crafted RPC stub data of more than 38 bytes will crash the message
engine service at RPCRT4.dll due to marshaling errors.
--[ Impact:
Denial of Service
--[ Vendor response:
https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=209502
--[ Credits:
This vulnerability was discovered by Nibin Varghese from
iViZ Security Research Team
http://www.ivizsecurity.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities CA Advisory Reference: CA20090615-01 CA Advisory Date: 2009-06-15 Reported By: iViZ Security Research Team Impact: A remote attacker can cause a denial of service. Summary: CA ARCserve Backup contains multiple vulnerabilities in the message engine that can allow a remote attacker to cause a denial of service. CA has issued an update to address the vulnerabilities. The vulnerabilities, CVE-2009-1761, occur due to insufficient verification of data sent to the message engine. An attacker can make requests that can cause the message engine to crash. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r12.0 SP 1 Windows Non-Affected Products: CA ARCserve Backup r11.5 SP 4 Windows CA ARCserve Backup r12.0 SP 2 Windows CA ARCserve Backup r12.5 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerabilities. CA ARCserve Backup r12.0, r12.0 SP1 Windows: Install Service Pack 2 RO08383. How to determine if the installation is affected: CA ARCserve Backup r12.0, r12.0 SP1 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, the program can be found under Programs-CA-ARCserve Patch Management-Patch Status. 2. The main patch status screen will indicate if the patch in the below table is applied. If the patch is not applied, then the installation is vulnerable. Product Patch CA ARCserve Backup r12.0, r12.0 SP1 Windows RO08383 For more information on the ARCserve Patch Management utility, read document TEC446265. Workaround: As a workaround solution, disable the Apache HTTP Server with the stopgui command. To re-enable the server, run startgui. Stopping the Apache HTTP Server will prevent the ARCserve user from performing GUI operations. Most of the operations provided by the GUI can be accomplished via the command line. Alternatively, restrict remote network access to reduce exposure. References (URLs may wrap): CA Support: https://support.ca.com/ CA20090615-01: Security Notice for CA ARCserve Backup Message Engine https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=2095 02 Solution Document Reference APARs: RO08383, TEC446265 CA Security Response Blog posting: CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15.aspx Reported By: iViZ Security Research Team http://www.ivizsecurity.com/security-advisory-iviz-sr-09003.html http://www.ivizsecurity.com/security-advisory-iviz-sr-09004.html CVE References: CVE-2009-1761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1761 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at https://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.10.0 (Build 500) Charset: utf-8 wj8DBQFKN4BReSWR3+KUGYURAnntAJ0dUor2RDKLtPoK0WDwD5PQJfOOAACfbIc6 XKLgaLtL5OJrrHDc1SoHoy4= =uoXR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities CA Advisory Reference: CA20090615-01 CA Advisory Date: 2009-06-15 Reported By: iViZ Security Research Team Impact: A remote attacker can cause a denial of service. Summary: CA ARCserve Backup contains multiple vulnerabilities in the message engine that can allow a remote attacker to cause a denial of service. CA has issued an update to address the vulnerabilities. The vulnerabilities, CVE-2009-1761, occur due to insufficient verification of data sent to the message engine. An attacker can make requests that can cause the message engine to crash. Mitigating Factors: None Severity: CA has given these vulnerabilities a Medium risk rating. Affected Products: CA ARCserve Backup r12.0 Windows CA ARCserve Backup r12.0 SP 1 Windows Non-Affected Products: CA ARCserve Backup r11.5 SP 4 Windows CA ARCserve Backup r12.0 SP 2 Windows CA ARCserve Backup r12.5 Affected Platforms: Windows Status and Recommendation: CA has issued the following patches to address the vulnerabilities. CA ARCserve Backup r12.0, r12.0 SP1 Windows: Install Service Pack 2 RO08383. How to determine if the installation is affected: CA ARCserve Backup r12.0, r12.0 SP1 Windows: 1. Run the ARCserve Patch Management utility. From the Windows Start menu, the program can be found under Programs-CA-ARCserve Patch Management-Patch Status. 2. The main patch status screen will indicate if the patch in the below table is applied. If the patch is not applied, then the installation is vulnerable. Product Patch CA ARCserve Backup r12.0, r12.0 SP1 Windows RO08383 For more information on the ARCserve Patch Management utility, read document TEC446265. Workaround: None References (URLs may wrap): CA Support: https://support.ca.com/ CA20090615-01: Security Notice for CA ARCserve Backup Message Engine https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=2095 02 Solution Document Reference APARs: RO08383, TEC446265 CA Security Response Blog posting: CA20090615-01: CA ARCserve Backup Message Engine Denial of Service Vulnerabilities community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15.aspx Reported By: iViZ Security Research Team http://www.ivizsecurity.com/security-advisory-iviz-sr-09003.html http://www.ivizsecurity.com/security-advisory-iviz-sr-09004.html CVE References: CVE-2009-1761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1761 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at https://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.10.0 (Build 500) Charset: utf-8 wj8DBQFKN4KLeSWR3+KUGYURAme/AJwOT497kNgqXAGFzXuwRVfxUSYJ5QCfWQ7G e2A9SJJB53CpJi3mE37Cw3g= =KMJo -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Title: CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability CA Advisory Reference: CA20090615-02 CA Advisory Date: 2009-06-15 Impact: A remote attacker can inject arbitrary web script or HTML. Summary: The release of Tomcat as included with CA Service Desk r11.2 is potentially susceptible to a cross-site scripting vulnerability. CA has issued a technical document that describes remediation procedures. Mitigating Factors: None Severity: CA has given this vulnerability a Medium risk rating. Affected Products: CA Service Desk r11.2 Affected Platforms: Windows, Unix Status and Recommendation: Follow the instructions in technical document TEC489643. https://support.ca.com/irj/portal/anonymous/\ redirArticles?reqPage=searchsearchID=TEC489643 How to determine if the installation is affected: Customers can use the instructions in technical document TEC489643 to determine if an installation may be affected. Workaround: None References (URLs may wrap): CA Support: https://support.ca.com/ CA20090615-02: Security Notice for CA Service Desk https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=2095 00 Solution Document Reference APARs: TEC489643 CA Security Response Blog posting: CA20090615-02: CA Service Desk Tomcat Cross Site Scripting Vulnerability community.ca.com/blogs/casecurityresponseblog/archive/2009/06/15.aspx CVE References: CVE-2008-1232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232 OSVDB References: Pending http://osvdb.org/ Changelog for this advisory: v1.0 - Initial Release Customers who require additional information should contact CA Technical Support at https://support.ca.com. For technical questions or comments related to this advisory, please send email to vuln AT ca DOT com. If you discover a vulnerability in CA products, please report your findings to the CA Product Vulnerability Response Team. https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=1777 82 Regards, Ken Williams, Director ; 0xE2941985 CA Product Vulnerability Response Team CA, 1 CA Plaza, Islandia, NY 11749 Contact http://www.ca.com/us/contact/ Legal Notice http://www.ca.com/us/legal/ Privacy Policy http://www.ca.com/us/privacy/ Copyright (c) 2009 CA. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.10.0 (Build 500) Charset: utf-8 wj8DBQFKN4queSWR3+KUGYURAnrZAJ9sEgBd5Lw57AW6egPeJu8CDyUv8gCcC8hT auAyFOQijA812rBtlTXJmtA= =ssdM -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Official release of Keykeriki open source wireless keyboard sniffer
Hi everyone, i just like to announce officially the release of our wireless keyboard sniffer Keykeriki. An addition to the official press release; Website: http://www.remote-exploit.org/Keykeriki.html Video with some demonstration available on website as well Contact: hardh...@remote-exploit.org The first lot of pre-fab PCBs will arrive until the end of this week. Stay tuned... Max Moser So here is our press release: “Keykeriki” – Dreamlab Technologies and remote-exploit.org develop the first open 27Mhz wireless keyboard sniffer. It sniffs and records the signal of wireless keyboards and demonstrates their security risk level. And it can be used to demonstrate hacking-attacks for educational purpose. Wireless keyboards are very popular in many offices and private homes. Even in the front office section of banks, they are frequently used. But they represent a big security risk – as dreamlab technologies already pointed out in a white paper published 2007. Wireless keyboards are risky, because they transmit a radio signal that is not enough protected. The newly developed portable universal receiver sniffs and records the signal of wireless keyboards and demonstrates their security risk level. The keykeriki-software and construction plans for -hardware are freely available online [www.remote-exploit.org]. Hardware The hardware needs to be portable and small and to be able to adapt to future needs. Keykeriki is therefore built around a Texas Instruments TRF7900 chip controlled by an ATMEL ATMEGA microcontroller. For logging abilities an SDCard-interface is built into the board layout, as well as an additional USART channel for future hardware extensions (“backpacks”). The whole board can be powered directly via the USB-bus or a stable 5V- power source. When connected to a computer’s USB-port, one can use either a decent terminal application or the keykeriCTL software which is included in the software package of this project. All the schematics can be downloaded in eagle- and PDF-format as part of the project’s software package. Fully equipped boards will be provided in the near future. Software Because of the flexible hardware design, most features can be built in by software. This first release contains (among other features) radio frequency switching, signal strength display, deciphering of encryptions, sniffing and decoding of keystrokes of Microsoft 27Mhz based keyboards. Extensions Hardware extensions are easy to realize because two different interfaces, a second USART, I²C/TWI and SPI, are externalized. Therefore so called Backpacks e. g. an LCD display controller can be connected using the USART Interface. The Future Future extensions include amplification for antennas, support of other Microsoft keyboards and products of other producers, the constant amelioration of hard- and software and the parallel handling of several keyboards. Furthermore, a keykeriki able to send mouse- and keyboard-signals is intended. Technical details can be found online: www.remote-exploit.org. About Dreamlab Dreamlab Technologies AG is an internationally operating company specialized in IT-Security. Established in 1997, Dreamlab Technologies performs high-end security test, consulting and education, and realizes solutions based on “best-in-class” open standard technologies. Dreamlab Technologies is an official education partner and representative of ISECOM (Institute for Security and Open Methodologies) for France, Germany and Switzerland. ISECOM is the editor of OSSTMM, today’s most popular security audit methodology. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2009:133 ] irssi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2009:133 http://www.mandriva.com/security/ ___ Package : irssi Date: June 16, 2009 Affected: 2008.1, 2009.0, 2009.1, Corporate 3.0 ___ Problem Description: A vulnerability has been found and corrected in irssi: Off-by-one error in the event_wallops function in fe-common/irc/fe-events.c in irssi 0.8.13 allows remote IRC servers to cause a denial of service (crash) via an empty command, which triggers a one-byte buffer under-read and a one-byte buffer underflow (CVE-2009-1959). This update provides fixes for this vulnerability. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1959 ___ Updated Packages: Mandriva Linux 2008.1: 7666ac4b0ee6be35f6c61c88937b4929 2008.1/i586/irssi-0.8.12-3.1mdv2008.1.i586.rpm 3c9d4ce7992efeeb4902d01cf0904be7 2008.1/i586/irssi-devel-0.8.12-3.1mdv2008.1.i586.rpm 8559da090d172911312f0b3536b414c4 2008.1/i586/irssi-perl-0.8.12-3.1mdv2008.1.i586.rpm f9b68d781fe6476bc8050c2f00726c41 2008.1/SRPMS/irssi-0.8.12-3.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 1b8e64c328e18f452b9b59d489f33941 2008.1/x86_64/irssi-0.8.12-3.1mdv2008.1.x86_64.rpm 1a1da766b58e5318a22e7084e3b196ac 2008.1/x86_64/irssi-devel-0.8.12-3.1mdv2008.1.x86_64.rpm 51adab508e1d513bdb9d7d40b5069a7a 2008.1/x86_64/irssi-perl-0.8.12-3.1mdv2008.1.x86_64.rpm f9b68d781fe6476bc8050c2f00726c41 2008.1/SRPMS/irssi-0.8.12-3.1mdv2008.1.src.rpm Mandriva Linux 2009.0: 1684a3989ed164409776c89546044780 2009.0/i586/irssi-0.8.12-3.1mdv2009.0.i586.rpm 7671fbe25259b3305889975d52b834c4 2009.0/i586/irssi-devel-0.8.12-3.1mdv2009.0.i586.rpm 13b3f2f3a0aa054db77ad53a447e5fe6 2009.0/i586/irssi-perl-0.8.12-3.1mdv2009.0.i586.rpm 64ec4fbff1686d3fbcab88520f669fa5 2009.0/SRPMS/irssi-0.8.12-3.1mdv2009.0.src.rpm Mandriva Linux 2009.0/X86_64: 77c019b09105e045e98f70748d20f56b 2009.0/x86_64/irssi-0.8.12-3.1mdv2009.0.x86_64.rpm efd08c666aa1ad1014c40244e69dbf79 2009.0/x86_64/irssi-devel-0.8.12-3.1mdv2009.0.x86_64.rpm 051858b7540f7fa8e3c6c0141cb2d200 2009.0/x86_64/irssi-perl-0.8.12-3.1mdv2009.0.x86_64.rpm 64ec4fbff1686d3fbcab88520f669fa5 2009.0/SRPMS/irssi-0.8.12-3.1mdv2009.0.src.rpm Mandriva Linux 2009.1: 0dbd4c60bcb4baad613c066edc8a9928 2009.1/i586/irssi-0.8.12-4.1mdv2009.1.i586.rpm 90646d0b03a43228cb301d017cc1e516 2009.1/i586/irssi-devel-0.8.12-4.1mdv2009.1.i586.rpm 492d3bb18444d889c26a15fed4bcde71 2009.1/i586/irssi-perl-0.8.12-4.1mdv2009.1.i586.rpm fb8e4a81570e8af0b02db392c324849e 2009.1/SRPMS/irssi-0.8.12-4.1mdv2009.1.src.rpm Mandriva Linux 2009.1/X86_64: 763e7d2df4275f13bc04c89ebb28e744 2009.1/x86_64/irssi-0.8.12-4.1mdv2009.1.x86_64.rpm 389a2932a04ee531245b2d5398b3959c 2009.1/x86_64/irssi-devel-0.8.12-4.1mdv2009.1.x86_64.rpm 7c278e8ac8e85d1e047cc64179b5196e 2009.1/x86_64/irssi-perl-0.8.12-4.1mdv2009.1.x86_64.rpm fb8e4a81570e8af0b02db392c324849e 2009.1/SRPMS/irssi-0.8.12-4.1mdv2009.1.src.rpm Corporate 3.0: 2e896fd5f40335522487871773aeb079 corporate/3.0/i586/irssi-0.8.9-2.1.C30mdk.i586.rpm 998b302c79e9e42564588c5a2cde0d92 corporate/3.0/i586/irssi-devel-0.8.9-2.1.C30mdk.i586.rpm a36c0604ae531ba14108008d346d9b28 corporate/3.0/SRPMS/irssi-0.8.9-2.1.C30mdk.src.rpm Corporate 3.0/X86_64: bcdeed0d1a345aad7e1ddeacae5dac92 corporate/3.0/x86_64/irssi-0.8.9-2.1.C30mdk.x86_64.rpm eb21881f04f1308567cdfb355266c8b4 corporate/3.0/x86_64/irssi-devel-0.8.9-2.1.C30mdk.x86_64.rpm a36c0604ae531ba14108008d346d9b28 corporate/3.0/SRPMS/irssi-0.8.9-2.1.C30mdk.src.rpm ___ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com ___ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team security*mandriva.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKN3m2mqjQ0CJFipgRAsTdAJwPbdOswHmhm5mUn/htoCG0GPOyrwCgr9pu VHVWemrVNgtvzoBT/KZCOBg= =DMv8 -END PGP SIGNATURE-
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
it could still be carried out remotely by obfuscating a link sent to the admin of the device. this would obviously rely on the admin clicking on the link, and is more of a phishing / social engineering style attack. this would also rely on the router being setup with all of the default internal LAN ip's. sr. 2009/6/16 Vladimir '3APA3A' Dubrovin 3ap...@security.nnov.ru Dear Tom Neaves, It still can be exploited from Internet even if remote management is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: TN Hi. TN I see where you're going but I think you're missing the point a little. By TN *default* the web interface is enabled on the LAN and accessible by anyone TN on that LAN and the remote management interface (for the Internet) is TN turned off. If the remote management interface was enabled, stopping ICMP TN echo responses would not resolve this issue at all, turning the interface TN off would do though (or restricting by IP, ...ack). The remote management TN (love those quotes...) interface speaks over HTTP hence TCP so no amount of TN dropping ICMP goodness will help with this. Anyhow, I am happy to discuss TN this off list with you if its still not clear to save spamming everyone's TN inboxes. :o) TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 11:03 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN I know and I understand. What I wanted to mean is that we can not eventually TN acces to the web interface of a netgear router remotely if we cannot localy. TN As for the DoS, it is simple to solve such attack from outside. We just TN disable receiving pings (There is actually an option in even the lowest TN series) and thus, we would be able to have a remote management without ICMP TN requests. TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Hi. TN I'm not quite sure of your question... TN The DoS can be carried out remotely, however one mitigating factor (which TN makes it a low risk as opposed to sirens and alarms...) is that its turned TN off by default - you have to explicitly enable it under Remote Management TN on the device if you want to access it/carry out the DoS over the Internet. TN However, it is worth noting that anyone on your LAN can *remotely* carry out TN this attack regardless of this management feature being on/off. TN I hope this clarifies it for you. TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 10:45 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN How can it be carried out remotely if it bugs localy? TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Product Name: Netgear DG632 Router TN Vendor: http://www.netgear.com TN Date: 15 June, 2009 TN Author: t...@tomneaves.co.uk t...@tomneaves.co.uk TN Original URL: TN http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN Discovered: 18 November, 2006 TN Disclosed: 15 June, 2009 TN I. DESCRIPTION TN The Netgear DG632 router has a web interface which runs on port 80. This TN allows an admin to login and administer the device's settings. However, TN a Denial of Service (DoS) vulnerability exists that causes the web interface TN to crash and stop responding to further requests. TN II. DETAILS TN Within the /cgi-bin/ directory of the administrative web interface exists TN a TN file called firmwarecfg. This file is used for firmware upgrades. A HTTP TN POST TN request for this file causes the web server to hang. The web server will TN stop TN responding to requests and the administrative interface will become TN inaccessible TN until the router is physically restarted. TN While the router will still continue to function at the network level, i.e. TN it will TN still respond to ICMP echo requests and issue leases via DHCP, an TN administrator will TN no longer be able to interact with the administrative web interface. TN This attack can be carried out internally within the network, or over the TN Internet TN if the administrator has enabled the Remote Management feature on the TN router. TN Affected Versions: Firmware V3.4.0_ap (others unknown) TN III. VENDOR RESPONSE TN 12 June, 2009 - Contacted vendor. TN 15 June, 2009 - Vendor responded. Stated the DG632 is an end of life TN product and is no TN longer supported in a production and development sense, as such, there will TN be no further TN firmware releases to resolve this issue. TN IV. CREDIT TN Discovered
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 and as previously stated, if you have 'remote management' enabled then you are truly vulnerable to outside threats. csrf works as well. but an attack carried out on the LAN would still be considered a remote attack; although, you'd likely be within arm's reach of the attacker, so you'd know who to punch in the nose when the web server stopped responding. both vectors are considered 'remote' since the attacker is not legitimately authenticated to the system. - - From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of sr. Sent: Tuesday, June 16, 2009 8:17 AM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability it could still be carried out remotely by obfuscating a link sent to the admin of the device. this would obviously rely on the admin clicking on the link, and is more of a phishing / social engineering style attack. this would also rely on the router being setup with all of the default internal LAN ip's. sr. 2009/6/16 Vladimir '3APA3A' Dubrovin 3ap...@security.nnov.ru Dear Tom Neaves, It still can be exploited from Internet even if remote management is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. - --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: TN Hi. TN I see where you're going but I think you're missing the point a TN little. By TN *default* the web interface is enabled on the LAN and accessible by TN anyone on that LAN and the remote management interface (for the TN Internet) is turned off. If the remote management interface was TN enabled, stopping ICMP echo responses would not resolve this issue TN at all, turning the interface off would do though (or restricting by IP, ...ack). The remote management TN (love those quotes...) interface speaks over HTTP hence TCP so no TN amount of dropping ICMP goodness will help with this. Anyhow, I am TN happy to discuss this off list with you if its still not clear to TN save spamming everyone's inboxes. :o) TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 11:03 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN I know and I understand. What I wanted to mean is that we can not TN eventually acces to the web interface of a netgear router remotely if we cannot localy. TN As for the DoS, it is simple to solve such attack from outside. We TN just disable receiving pings (There is actually an option in even TN the lowest TN series) and thus, we would be able to have a remote management TN without ICMP requests. TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Hi. TN I'm not quite sure of your question... TN The DoS can be carried out remotely, however one mitigating factor TN (which makes it a low risk as opposed to sirens and alarms...) is TN that its turned off by default - you have to explicitly enable it under Remote Management TN on the device if you want to access it/carry out the DoS over the Internet. TN However, it is worth noting that anyone on your LAN can *remotely* TN carry out this attack regardless of this management feature being on/off. TN I hope this clarifies it for you. TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 10:45 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN How can it be carried out remotely if it bugs localy? TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Product Name: Netgear DG632 Router TN Vendor: http://www.netgear.com TN Date: 15 June, 2009 TN Author: t...@tomneaves.co.uk t...@tomneaves.co.uk Original URL: TN http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN Discovered: 18 November, 2006 TN Disclosed: 15 June, 2009 TN I. DESCRIPTION TN The Netgear DG632 router has a web interface which runs on port 80. TN This allows an admin to login and administer the device's settings. TN However, a Denial of Service (DoS) vulnerability exists that causes TN the web interface to crash and stop responding to further requests. TN II. DETAILS TN Within the /cgi-bin/ directory of the administrative web interface TN exists a file called firmwarecfg. This file is used for firmware TN upgrades. A HTTP POST request for this file causes the web server TN to hang. The web server will stop responding to requests and the TN administrative interface will become inaccessible until the router TN is physically restarted. TN While the router will still continue to function at the network level, i.e. TN it will TN still respond
[Full-disclosure] WinAppDbg version 1.2 is out!
What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. Where can I find WinAppDbg? === The WinAppDbg project is currently hosted at Sourceforge, and can be found at: http://winappdbg.sourceforge.net/ It's also hosted at the Python Package Index (PyPi): http://pypi.python.org/pypi/winappdbg/1.2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WinAppDbg version 1.2 is out!
Mario Alejandro Vilas Jerez wrote: What is WinAppDbg? == The WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. Can you compare/contrast with pydbg so I can understand why I might want to give it a try? Do you have a fuzzing platform like Sulley for it as well? Thx! Jared It uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. The intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. Current features also include disassembling x86 native code (using the open source diStorm project, see http://ragestorm.net/distorm/), debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. Where can I find WinAppDbg? === The WinAppDbg project is currently hosted at Sourceforge, and can be found at: http://winappdbg.sourceforge.net/ It's also hosted at the Python Package Index (PyPi): http://pypi.python.org/pypi/winappdbg/1.2 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] WinAppDbg version 1.2 is out!
Basically it's got some different features than PyDbg and a more complete documentation. If you have an *existing* project built upon PyDbg it's probably not worth switching (unless you've hit some very bad problem with it) but I believe it's better for newer projects, as this new library is more flexible and scalable. It doesn't have a fuzzing platform like Sulley. It does however have some tools that can be useful when fuzzing, particularly one that attaches to a program as a debugger and logs the crashes it finds, using some simple heuristics to avoid logging the same crash twice. Let me know if you decide to give it a try, I'll help in anything I can :) Cheers, -Mario On Tue, Jun 16, 2009 at 3:26 PM, Jared DeMottjdem...@crucialsecurity.com wrote: Can you compare/contrast with pydbg so I can understand why I might want to give it a try? Do you have a fuzzing platform like Sulley for it as well? Thx! Jared -- HONEY: I want to… put some powder on my nose. GEORGE: Martha, won’t you show her where we keep the euphemism? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Dear sr., clicking on the link can not produce POST request, only GET, unless there are some special conditions, like crossite scripting vulnerability in the router. --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk; s it could still be carried out remotely by obfuscating a link sent to the s admin of the device. this would obviously rely on the admin clicking on s the link, and is more of a phishing / social engineering style attack. this s would also rely on the router being setup with all of the default internal s LAN ip's. s sr. s 2009/6/16 Vladimir '3APA3A' Dubrovin 3ap...@security.nnov.ru Dear Tom Neaves, It still can be exploited from Internet even if remote management is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: TN Hi. TN I see where you're going but I think you're missing the point a little. By TN *default* the web interface is enabled on the LAN and accessible by anyone TN on that LAN and the remote management interface (for the Internet) is TN turned off. If the remote management interface was enabled, stopping ICMP TN echo responses would not resolve this issue at all, turning the interface TN off would do though (or restricting by IP, ...ack). The remote management TN (love those quotes...) interface speaks over HTTP hence TCP so no amount of TN dropping ICMP goodness will help with this. Anyhow, I am happy to discuss TN this off list with you if its still not clear to save spamming everyone's TN inboxes. :o) TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 11:03 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN I know and I understand. What I wanted to mean is that we can not eventually TN acces to the web interface of a netgear router remotely if we cannot localy. TN As for the DoS, it is simple to solve such attack from outside. We just TN disable receiving pings (There is actually an option in even the lowest TN series) and thus, we would be able to have a remote management without ICMP TN requests. TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Hi. TN I'm not quite sure of your question... TN The DoS can be carried out remotely, however one mitigating factor (which TN makes it a low risk as opposed to sirens and alarms...) is that its turned TN off by default - you have to explicitly enable it under Remote Management TN on the device if you want to access it/carry out the DoS over the Internet. TN However, it is worth noting that anyone on your LAN can *remotely* carry out TN this attack regardless of this management feature being on/off. TN I hope this clarifies it for you. TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 10:45 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN How can it be carried out remotely if it bugs localy? TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Product Name: Netgear DG632 Router TN Vendor: http://www.netgear.com TN Date: 15 June, 2009 TN Author: t...@tomneaves.co.uk t...@tomneaves.co.uk TN Original URL: TN http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN Discovered: 18 November, 2006 TN Disclosed: 15 June, 2009 TN I. DESCRIPTION TN The Netgear DG632 router has a web interface which runs on port 80. This TN allows an admin to login and administer the device's settings. However, TN a Denial of Service (DoS) vulnerability exists that causes the web interface TN to crash and stop responding to further requests. TN II. DETAILS TN Within the /cgi-bin/ directory of the administrative web interface exists TN a TN file called firmwarecfg. This file is used for firmware upgrades. A HTTP TN POST TN request for this file causes the web server to hang. The web server will TN stop TN responding to requests and the administrative interface will become TN inaccessible TN until the router is physically restarted. TN While the router will still continue to function at the network level, i.e. TN it will TN still respond to ICMP echo requests and issue leases via DHCP, an TN administrator will TN no longer be able to interact with the administrative web interface. TN This attack can be carried out internally within the network, or over the TN Internet TN if the administrator has enabled the Remote Management feature on the TN router. TN Affected Versions: Firmware V3.4.0_ap (others unknown)
[Full-disclosure] ZDI-09-043: Apple Java CColorUIResource Pointer Derference Code Execution Vulnerability
ZDI-09-043: Apple Java CColorUIResource Pointer Derference Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-043 June 16, 2009 -- CVE ID: CVE-2009-1719 -- Affected Vendors: Apple -- Affected Products: Apple Java -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 6800. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: his vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Java HotSpot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists in the undocumented apple.laf.CColourUIResource(long, int, int ,int, int) constructor. When passing a long integer value as the first argument, the value is interpreted as pointer to an Objective-C object. By constructing a special memory structure and passing the pointer to the first argument an attacker may execute arbitrary code. -- Vendor Response: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT3632 -- Disclosure Timeline: 2009-01-26 - Vulnerability reported to vendor 2009-06-16 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * Anonymous -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DSF-02-2009] - Zoki Catalog SQL Injection
Ref. [DSF-02-2009] - Zoki Catalog SQL Injection Vendor: Zoki Soft (www.zokisoft.com) Status: Patched by vendor Original advisory: http://www.davidsopas.com/2009/06/15/zoki-catalog-sql-injection/ Zoki Catalog Smart Catalog is unique and convenient software. It is designed for many purposes whether you want to create blog, product catalog, classifieds, events, jobs or many others. This software gives you opportunity to create general categories and unlimited number of subcategories, create static pages, upload images, rate and comment listings. The Smart Catalog has SEO optimized URLs, RSS feeds and fast indexed with major search engines. Description This PHP based catalog is vulnerable to SQL Injection on search form. Injecting a quote mark will break the SQL query and even provide sensitive database information that could help a malicious user to complete and enter a valid SQL injection query. Impact A malicious user could manipulate SQL queries by injecting arbitrary SQL code and return private information. Time-line June 3, 2009 - Reported to Zoki Soft June 13, 2009 - Reply from vendor June 15, 2009 - Vendor fixed it ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Things to do before vulnerability disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ... really? so everyone who believes in full disclosure is a blackhat now? by your definition, even those who follow RFPolicy are blackhats as well. your ethics are severely flawed, and are malaligned with the philosophies that many security professionals subscribe to. to the original poster: if you independently discover a vulnerability, its yours. do what you want with it. - -Original Message- From: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] On Behalf Of nrmaster Sent: Tuesday, June 16, 2009 8:40 AM To: pen-t...@securityfocus.com Subject: Re: Things to do before vulnerability disclosure In stark contrast to what a black hat would do (publish or more likely sell it on the black market), an ethical security expert ought to try to notify the vendor so that a patch or fix can be incorporated into the next hot fix and distributed to the public before the details of the exploit are widely available. This sort of approach also fortifies our posture as vulnerability researchers rather than security bug searchers. Obviously, any legal or regulatory obligations will depend on your local laws and/or regulations. Cheers - -- View this message in context: http://www.nabble.com/Things-to-do- before-vulnerability-disclosure-tp24044921p24057042.html Sent from the Penetration Testing mailing list archive at Nabble.com. -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAko38b0ACgkQacHgESW3wZoaFgP/bHnuOwIPS6UfiMxYgl/5fsP0RYFz p4W7eYVLIZ09iHc8TQVroDRkVbUCnkzhGXpf6ABb2JOFaP4gmki5GmQ8X9NUCy4u8uzh bP1qf3tEwfGttWIXFrscZ0iL0VGOrLWBOAS8KxTIYjceasWMXt4MU9mcmgPauNo3lZVS kdkp+xg= =5tG2 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1816-1] New apache2 packages fix privilege escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - Debian Security Advisory DSA-1816-1 secur...@debian.org http://www.debian.org/security/ Stefan Fritsch June 16, 2009 http://www.debian.org/security/faq - Package: apache2 Vulnerability : insufficient security check Problem type : local Debian-specific: no CVE Id(s) : CVE-2009-1195 It was discovered that the Apache web server did not properly handle the Options= parameter to the AllowOverride directive: In the stable distribution (lenny), local users could (via .htaccess) enable script execution in Server Side Includes even in configurations where the AllowOverride directive contained only Options=IncludesNoEXEC. In the oldstable distribution (etch), local users could (via .htaccess) enable script execution in Server Side Includes and CGI script execution in configurations where the AllowOverride directive contained any Options= value. For the stable distribution (lenny), this problem has been fixed in version 2.2.9-10+lenny3. The oldstable distribution (etch), this problem has been fixed in version 2.2.3-4+etch8. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed in version 2.2.11-6. This advisory also provides updated apache2-mpm-itk packages which have been recompiled against the new apache2 packages (except for the s390 architecture where updated packages will follow shortly). We recommend that you upgrade your apache2 packages. Upgrade instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch2.dsc Size/MD5 checksum: 676 60ae12c222f55bfb4d8741409f59807c http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch8.diff.gz Size/MD5 checksum: 126164 0f93fb2fea38521c4b2ac9411167e5af http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01.orig.tar.gz Size/MD5 checksum:29071 63daaf8812777aacfd5a31ead4ff0061 http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch2.diff.gz Size/MD5 checksum:12678 5019486d10734d7286f22e12da18764a http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3.orig.tar.gz Size/MD5 checksum: 6342475 f72ffb176e2dc7b322be16508c09f63c http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch8.dsc Size/MD5 checksum: 1068 c99d93533c181ea28ccdb61df0464319 Architecture independent packages: http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch8_all.deb Size/MD5 checksum: 274190 321a2158857f223fcb825d4b286ba06b http://security.debian.org/pool/updates/main/a/apache2/apache2_2.2.3-4+etch8_all.deb Size/MD5 checksum:41386 1539cf468ace0922e31c6071dafd3813 http://security.debian.org/pool/updates/main/a/apache2/apache2-src_2.2.3-4+etch8_all.deb Size/MD5 checksum: 6667722 f3242b4b8f5e5d33d9725a26d52a7300 http://security.debian.org/pool/updates/main/a/apache2/apache2-doc_2.2.3-4+etch8_all.deb Size/MD5 checksum: 2243290 99eca5a57510d9cd19ff74dd1bbd4a8e alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch8_alpha.deb Size/MD5 checksum: 407346 02cbc40c73aa9252a6f9bebda4036c29 http://security.debian.org/pool/updates/main/a/apache2/apache2-utils_2.2.3-4+etch8_alpha.deb Size/MD5 checksum: 345688 05ffdd8778436fd2b1dee6bd7aadd3e0 http://security.debian.org/pool/updates/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch8_alpha.deb Size/MD5 checksum: 406728 779b119a6c99f7f8e0d8930cc1a2b71b http://security.debian.org/pool/updates/main/a/apache2-mpm-itk/apache2-mpm-itk_2.2.3-01-2+etch2_alpha.deb Size/MD5 checksum: 184914 54d45ea160222856d8c4ed799d2965c9 http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch8_alpha.deb Size/MD5 checksum: 449388 d925b5b3b9e271f4617a2efff0f3f143 http://security.debian.org/pool/updates/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch8_alpha.deb Size/MD5 checksum: 444558 3ed40c6c95e4f25ef96906a636093249
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Vladimir: Where there is an open mind, there will always be a frontier. - Charles Kettering form method='post' action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS' input type='hidden' value='' /form a href='http://www.google.com' onclick='document.DoS.submit();'Google/a -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Vladimir Dubrovin Sent: Tuesday, June 16, 2009 9:43 AM To: sr. Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability Dear sr., clicking on the link can not produce POST request, only GET, unless there are some special conditions, like crossite scripting vulnerability in the router. --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk; s it could still be carried out remotely by obfuscating a link sent to the s admin of the device. this would obviously rely on the admin clicking on s the link, and is more of a phishing / social engineering style attack. this s would also rely on the router being setup with all of the default internal s LAN ip's. s sr. s 2009/6/16 Vladimir '3APA3A' Dubrovin 3ap...@security.nnov.ru Dear Tom Neaves, It still can be exploited from Internet even if remote management is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: TN Hi. TN I see where you're going but I think you're missing the point a little. By TN *default* the web interface is enabled on the LAN and accessible by anyone TN on that LAN and the remote management interface (for the Internet) is TN turned off. If the remote management interface was enabled, stopping ICMP TN echo responses would not resolve this issue at all, turning the interface TN off would do though (or restricting by IP, ...ack). The remote management TN (love those quotes...) interface speaks over HTTP hence TCP so no amount of TN dropping ICMP goodness will help with this. Anyhow, I am happy to discuss TN this off list with you if its still not clear to save spamming everyone's TN inboxes. :o) TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 11:03 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN I know and I understand. What I wanted to mean is that we can not eventually TN acces to the web interface of a netgear router remotely if we cannot localy. TN As for the DoS, it is simple to solve such attack from outside. We just TN disable receiving pings (There is actually an option in even the lowest TN series) and thus, we would be able to have a remote management without ICMP TN requests. TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Hi. TN I'm not quite sure of your question... TN The DoS can be carried out remotely, however one mitigating factor (which TN makes it a low risk as opposed to sirens and alarms...) is that its turned TN off by default - you have to explicitly enable it under Remote Management TN on the device if you want to access it/carry out the DoS over the Internet. TN However, it is worth noting that anyone on your LAN can *remotely* carry out TN this attack regardless of this management feature being on/off. TN I hope this clarifies it for you. TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 10:45 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN How can it be carried out remotely if it bugs localy? TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Product Name: Netgear DG632 Router TN Vendor: http://www.netgear.com TN Date: 15 June, 2009 TN Author: t...@tomneaves.co.uk t...@tomneaves.co.uk TN Original URL: TN http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN Discovered: 18 November, 2006 TN Disclosed: 15 June, 2009 TN I. DESCRIPTION TN The Netgear DG632 router has a web interface which runs on port 80. This TN allows an admin to login and administer the device's settings. However, TN a Denial of Service (DoS) vulnerability exists that causes the web interface TN to crash and stop responding to further requests. TN II. DETAILS TN Within the /cgi-bin/ directory of the administrative web interface exists TN a TN file called firmwarecfg. This file is used for firmware upgrades. A HTTP TN POST TN request for this file causes the web server to hang. The web server will TN stop TN responding to requests
Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability
Adrian, If you can execute javascript - what is a reason to wait for user to click the link? The message I reply stated there is no need to force user to visit Web page and clicking the obfuscated link _sent_ to admin is enougth. I replied in this case only GET request is possible. Read the thread carefully before making conclusions. --Wednesday, June 17, 2009, 2:58:15 AM, you wrote to jeremi.gos...@motricity.com: AP you would be surprised how many people out there (mistakenly) still AP think that only GET requests are CSRFable! AP 2009/6/16 Jeremi Gosney jeremi.gos...@motricity.com: Vladimir: Where there is an open mind, there will always be a frontier. - Charles Kettering form method='post' action='http://192.168.1.1/cgi-bin/firmwarecfg' name='DoS' input type='hidden' value='' /form a href='http://www.google.com' onclick='document.DoS.submit();'Google/a -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Vladimir Dubrovin Sent: Tuesday, June 16, 2009 9:43 AM To: sr. Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability Dear sr., clicking on the link can not produce POST request, only GET, unless there are some special conditions, like crossite scripting vulnerability in the router. --16.06.2009 19:16, you wrote [Full-disclosure] Netgear DG632 Router Remote DoS Vulnerability to full-disclosure@lists.grok.org.uk; s it could still be carried out remotely by obfuscating a link sent to the s admin of the device. this would obviously rely on the admin clicking on s the link, and is more of a phishing / social engineering style attack. this s would also rely on the router being setup with all of the default internal s LAN ip's. s sr. s 2009/6/16 Vladimir '3APA3A' Dubrovin 3ap...@security.nnov.ru Dear Tom Neaves, It still can be exploited from Internet even if remote management is only accessible from local network. If you can trick user to visit Web page, you can place a form on this page which targets to router and request to router is issued from victim's browser. --Tuesday, June 16, 2009, 2:11:27 AM, you wrote to m.elyaz...@gmail.com: TN Hi. TN I see where you're going but I think you're missing the point a little. By TN *default* the web interface is enabled on the LAN and accessible by anyone TN on that LAN and the remote management interface (for the Internet) is TN turned off. If the remote management interface was enabled, stopping ICMP TN echo responses would not resolve this issue at all, turning the interface TN off would do though (or restricting by IP, ...ack). The remote management TN (love those quotes...) interface speaks over HTTP hence TCP so no amount of TN dropping ICMP goodness will help with this. Anyhow, I am happy to discuss TN this off list with you if its still not clear to save spamming everyone's TN inboxes. :o) TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 11:03 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN I know and I understand. What I wanted to mean is that we can not eventually TN acces to the web interface of a netgear router remotely if we cannot localy. TN As for the DoS, it is simple to solve such attack from outside. We just TN disable receiving pings (There is actually an option in even the lowest TN series) and thus, we would be able to have a remote management without ICMP TN requests. TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Hi. TN I'm not quite sure of your question... TN The DoS can be carried out remotely, however one mitigating factor (which TN makes it a low risk as opposed to sirens and alarms...) is that its turned TN off by default - you have to explicitly enable it under Remote Management TN on the device if you want to access it/carry out the DoS over the Internet. TN However, it is worth noting that anyone on your LAN can *remotely* carry out TN this attack regardless of this management feature being on/off. TN I hope this clarifies it for you. TN Tom TN - Original Message - TN From: Alaa El yazghi TN To: Tom Neaves TN Cc: bugt...@securityfocus.com ; full-disclosure@lists.grok.org.uk TN Sent: Monday, June 15, 2009 10:45 PM TN Subject: Re: Netgear DG632 Router Remote DoS Vulnerability TN How can it be carried out remotely if it bugs localy? TN 2009/6/15 Tom Neaves t...@tomneaves.co.uk TN Product Name: Netgear DG632 Router TN Vendor: http://www.netgear.com TN Date: 15 June, 2009 TN Author: t...@tomneaves.co.uk t...@tomneaves.co.uk TN Original URL: TN http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt TN Discovered: 18 November, 2006 TN
