Plugin ID | 135 |
Plugin name | Netgear RP114 URL filtering long request evasion |
Plugin filename | Netgear RP114 URL filtering long request evasion.plugin |
Plugin filesize | 4695 bytes |
Plugin family | Firewalls |
Plugin created name | Marc Ruef |
Plugin created email | marc dot ruef at computec dot ch |
Plugin created web | http://www.computec.ch |
Plugin created company | computec.ch |
Plugin created date | 2004/09/02 |
Plugin updated name | Marc Ruef |
Plugin updated email | marc dot ruef at computec dot ch |
Plugin updated web | http://www.computec.ch |
Plugin updated company | computec.ch |
Plugin updated date | 2004/11/14 |
Plugin version | 2.0 |
Plugin changelog | Added SecurityTracker ID in version 1.1. Corrected the plugin structure and added the accuracy values in 1.2. Improved the pattern matching and introduced the plugin changelog in 2.0 |
Plugin protocol | tcp |
Plugin port | 80 |
Plugin procedure exploit | open|send GET http://www.computec.ch/?%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 HTTP/1.0\n\n|sleep|close|pattern_not_exists HTTP/1.1 200 OK*Server: NETGEAR: Content Filter/1.#*Access Denied by NETGEAR* |
Plugin exploit accuracy | 97 |
Plugin comment | This plugin was written with the ATK Attack Editor. |
Bug published name | Marc Ruef |
Bug published email | marc dot ruef at computec dot ch |
Bug published web | http://www.computec.ch |
Bug published company | computec.ch |
Bug published date | 2004/05/24 |
Bug advisory | http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=667 |
Bug affected | Netgear RP114 |
Bug not affected | Other solutions |
Bug vulnerability class | Evasion |
Bug description | Netgear has some small router and firewalling devices for home users and small companies (SOHO). Most of these solutions are able to do a simple keyword based URL filtering. Lets say we don't want users to visit http://www.computec.ch so we create a filter for the keyword "computec.ch". If a user wants to access a domain that contains the string "computec.ch" (e.g. www.computec.ch or test.computec.ch) he will get a white html document that says "Blocked by NETGEAR". He is not able to see the requested document itself. The Netgear RP114 is not able to do the filtering if the requested URI is more than 220 bytes long. Other Netgear routers and firewalls may also be affected. If you are requesting the following URL, the attacker is able to see the requested web document without restriction. An attacker may be able to evade the URL black list and get access to disallowed ressources. This may be a buffer overflow and it may be possible to run arbitrary code on the Netgear device. |
Bug solution | Netgear may provide a new firmware or another workaround. It is suggested to install another URL filtering solution if this functionality is really needed. |
Bug fixing time | Approx. 45 minutes |
Bug exploit availability | Yes |
Bug exploit url | http://www.computec.ch/projekte/atk/ |
Bug remote | No |
Bug local | No |
Bug severity | Medium |
Bug popularity | 6 |
Bug simplicity | 8 |
Bug impact | 7 |
Bug risk | 6 |
Bug check tools | The ATK is able to exploit this vulnerability. Under some circumstances the WinAmp player is exploiting this vulnerability when fetching data from the Internet about a playing track. See also http://seclists.org/lists/bugtraq/2004/May/0263.html for more details. |
Source SecurityFocus BID | 10404 |
Source Secunia ID | 11698 |
Source SecuriTeam URL | http://www.securiteam.com/securitynews/5VP0P15CUK.html |
Source Security Tracker ID | 1010263 |
Source scipID | 667 |
Source Literature | Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X |
Source Misc. | http://www.securiteam.com/securitynews/5HP01208AQ.html |