Netgear DG632 Router Remote DoS Vulnerability

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



Replies to this exploit:

From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--


From: Tom Neaves tom@tomneaves.co.uk
Sent: Mon 15. Jun 2009 23:11
Hi.

I see where youre going but I think youre missing the point a little.  By 
*default* the web interface is enabled on the LAN and accessible by anyone 
on that LAN and the "remote management" interface (for the Internet) is 
turned off.  If the "remote management" interface was enabled, stopping ICMP 
echo responses would not resolve this issue at all, turning the interface 
off would do though (or restricting by IP, ...ack).  The "remote management" 
(love those quotes...) interface speaks over HTTP hence TCP so no amount of 
dropping ICMP goodness will help with this.  Anyhow, I am happy to discuss 
this off list with you if its still not clear to save spamming everyones 
inboxes. :o)

Tom

----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 11:03 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


I know and I understand. What I wanted to mean is that we can not eventually 
acces to the web interface of a netgear router remotely if we cannot localy. 
As for the DoS, it is simple to solve  such attack from outside. We just 
disable receiving pings (There is actually an option in even the lowest 
series) and thus, we would be able to have a remote management without ICMP 
requests.



2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Hi.

Im not quite sure of your question...

The DoS can be carried out remotely, however one mitigating factor (which 
makes it a low risk as opposed to sirens and alarms...) is that its turned 
off by default - you have to explicitly enable it under "Remote Management" 
on the device if you want to access it/carry out the DoS over the Internet. 
However, it is worth noting that anyone on your LAN can *remotely* carry out 
this attack regardless of this management feature being on/off.

I hope this clarifies it for you.

Tom
----- Original Message ----- 
From: Alaa El yazghi
To: Tom Neaves
Cc: bugtraq@securityfocus.com ; full-disclosure@lists.grok.org.uk
Sent: Monday, June 15, 2009 10:45 PM
Subject: Re: Netgear DG632 Router Remote DoS Vulnerability


How can it be carried out remotely if it bugs localy?


2009/6/15 Tom Neaves <tom@tomneaves.co.uk>

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk <tom@tomneaves.co.uk>
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Remote_DoS.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.  This
allows an admin to login and administer the devices settings.  However,
a Denial of Service (DoS) vulnerability exists that causes the web interface
to crash and stop responding to further requests.

II. DETAILS

Within the "/cgi-bin/" directory of the administrative web interface exists 
a
file called "firmwarecfg".  This file is used for firmware upgrades.  A HTTP 
POST
request for this file causes the web server to hang.  The web server will 
stop
responding to requests and the administrative interface will become 
inaccessible
until the router is physically restarted.

While the router will still continue to function at the network level, i.e. 
it will
still respond to ICMP echo requests and issue leases via DHCP, an 
administrator will
no longer be able to interact with the administrative web interface.

This attack can be carried out internally within the network, or over the 
Internet
if the administrator has enabled the "Remote Management" feature on the 
router.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 - Contacted vendor.
15 June, 2009 - Vendor responded.  Stated the DG632 is an end of life 
product and is no
longer supported in a production and development sense, as such, there will 
be no further
firmware releases to resolve this issue.

IV. CREDIT

Discovered by Tom Neaves 



From: Hanno =?utf-8?q?B=C3=B6ck?= hanno@hboeck.de
Sent: Tue 16. Jun 2009 12:42
--nextPart2061626.94REp4fmhP
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Am Montag 15 Juni 2009 schrieb Tom Neaves:
> Within the "/cgi-bin/" directory of the administrative web interface exis=
ts
> a
> file called "firmwarecfg".  This file is used for firmware upgrades.  A
> HTTP POST
> request for this file causes the web server to hang.  The web server will
> stop
> responding to requests and the administrative interface will become
> inaccessible
> until the router is physically restarted.
>
> While the router will still continue to function at the network level, i.=
e.
> it will
> still respond to ICMP echo requests and issue leases via DHCP, an
> administrator will
> no longer be able to interact with the administrative web interface.
>
> This attack can be carried out internally within the network, or over the
> Internet
> if the administrator has enabled the "Remote Management" feature on the
> router.

Dont have such a device for tests, but isnt it possible to exploit this=20
remotely through CSRF even without "Remote Management" option?
(i.e. put some javascript on a webpage sending a post request to the defaul=
t=20
ip of the router?)

=2D-=20
Hanno B=C3=B6ck		Blog:		http://www.hboeck.de/
GPG: 3DBD3B20		Jabber/Mail:	hanno@hboeck.de
http://ausdenaugenausdemsinn.de - Kein Sicherheitsrabatt f=C3=BCr CO2-Speic=
her
http://tinyurl.com/dceu73 - Internetzensur stoppen!

http://schokokeks.org - professional webhosting

--nextPart2061626.94REp4fmhP
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEABECAAYFAko3dv4ACgkQr2QksT29OyCNEQCfW/c4QFsA98DGWc1+4BreIPU+
8okAn0xYVyB9YDUS3KLaUbCuuRm84Ggy
=6A9Z
-----END PGP SIGNATURE-----

--nextPart2061626.94REp4fmhP--