Re: Netgear DG632 Router Remote DoS Vulnerability

[Alaa El yazghi <m.elyazghi () gmail com>]

I know and I understand. What I wanted to mean is that we can not eventually
acces to the web interface of a netgear router remotely if we cannot localy.
As for the DoS, it is simple to solve  such attack from outside. We just
disable receiving pings (There is actually an option in even the lowest
series) and thus, we would be able to have a remote management without ICMP
requests.



2009/6/15 Tom Neaves <tom () tomneaves co uk>

>  Hi.
>
> I'm not quite sure of your question...
>
> The DoS can be carried out remotely, however one mitigating factor (which
> makes it a low risk as opposed to sirens and alarms...) is that its turned
> off by default - you have to explicitly enable it under "Remote Management"
> on the device if you want to access it/carry out the DoS over the Internet.
> However, it is worth noting that anyone on your LAN can *remotely* carry out
> this attack regardless of this management feature being on/off.
>
> I hope this clarifies it for you.
>
> Tom
>
>  ----- Original Message -----
> *From:* Alaa El yazghi <m.elyazghi () gmail com>
> *To:* Tom Neaves <tom () tomneaves co uk>
> *Cc:* bugtraq () securityfocus com ; full-disclosure () lists grok org uk
>  *Sent:* Monday, June 15, 2009 10:45 PM
> *Subject:* Re: Netgear DG632 Router Remote DoS Vulnerability
>
>  How can it be carried out remotely if it bugs localy?
>
> 2009/6/15 Tom Neaves <tom () tomneaves co uk>
>
> > Product Name: Netgear DG632 Router
> > Vendor: http://www.netgear.com
> > Date: 15 June, 2009
> > Author: tom () tomneaves co uk <tom () tomneaves co uk>
> > Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
> > Discovered: 18 November, 2006
> > Disclosed: 15 June, 2009
> >
> > I. DESCRIPTION
> >
> > The Netgear DG632 router has a web interface which runs on port 80.  This
> > allows an admin to login and administer the device's settings.  However,
> > a Denial of Service (DoS) vulnerability exists that causes the web
> > interface
> > to crash and stop responding to further requests.
> >
> > II. DETAILS
> >
> > Within the "/cgi-bin/" directory of the administrative web interface
> > exists a
> > file called "firmwarecfg".  This file is used for firmware upgrades.  A
> > HTTP POST
> > request for this file causes the web server to hang.  The web server will
> > stop
> > responding to requests and the administrative interface will become
> > inaccessible
> > until the router is physically restarted.
> >
> > While the router will still continue to function at the network level,
> > i.e. it will
> > still respond to ICMP echo requests and issue leases via DHCP, an
> > administrator will
> > no longer be able to interact with the administrative web interface.
> >
> > This attack can be carried out internally within the network, or over the
> > Internet
> > if the administrator has enabled the "Remote Management" feature on the
> > router.
> >
> > Affected Versions: Firmware V3.4.0_ap (others unknown)
> >
> > III. VENDOR RESPONSE
> >
> > 12 June, 2009 - Contacted vendor.
> > 15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life
> > product and is no
> > longer supported in a production and development sense, as such, there
> > will be no further
> > firmware releases to resolve this issue.
> >
> > IV. CREDIT
> >
> > Discovered by Tom Neaves
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/