IS-2010-001 - Netgear WG602v4 Saved Pass Stack Overflow

2010-06-02T00:00:00
ID SECURITYVULNS:DOC:23978
Type securityvulns
Reporter Securityvulns
Modified 2010-06-02T00:00:00

Description

Security Advisory

IS-2010-001 - Netgear WG602v4 Saved Pass Stack Overflow

Advisory Information

Published: 2010-05-30

Updated: 2009-05-30

Manufacturer: Netgear Model: WG602v4 Firmware version: V1.1.0 (Europe)

Vulnerability Details

Class: Buffer Overflow

Code Execution: Yes

Public References: Not Assigned

Successfully tested on: Netgear WG602v4 loaded with firmware version 1.1.0 (Europe) Other models and/or firmware versions may be also affected.

Summary: A stack based buffer overflow can be triggered by choosing an overly long admin password.

Details: A buffer overflow condition can be triggered during the authentication process to the device web interface. Such process is handled by function auth_authorize(), where password saved in flash memory is used for validating submitted credentials, and is copied into a fixed size buffer on the stack, without performing any length check. Buffer overflow can be triggered by saving an admin password longer than 128 characters and occurs at each authentication attempt before the submitted credentials are validated, potentially allowing for unauthenticated remote exploitation. But, valid credentials are required in order to change administrator password and save it in flash memory, hence, for vulnerability exploitation. Password can be changed via a dedicated web page on the management interface: client side restrictions present on on the password lenght can be easily bypassed by an attacker.

Impact: Remote code execution with root level privileges.

Solutions & Workaround: Not available

Additional Information

Available at http://www.icysilence.org