<plugin_id>135</plugin_id>
<plugin_name>Netgear RP114 URL filtering long request evasion</plugin_name>
<plugin_family>Firewalls</plugin_family>
<plugin_created_date>2004/09/02</plugin_created_date>
<plugin_created_name>Marc Ruef</plugin_created_name>
<plugin_created_email>marc dot ruef at computec dot ch</plugin_created_email>
<plugin_created_web>http://www.computec.ch</plugin_created_web>
<plugin_created_company>computec.ch</plugin_created_company>
<plugin_updated_name>Marc Ruef</plugin_updated_name>
<plugin_updated_email>marc dot ruef at computec dot ch</plugin_updated_email>
<plugin_updated_web>http://www.computec.ch</plugin_updated_web>
<plugin_updated_company>computec.ch</plugin_updated_company>
<plugin_updated_date>2004/11/14</plugin_updated_date>
<plugin_version>2.0</plugin_version>
<plugin_changelog>Added SecurityTracker ID in version 1.1. Corrected the plugin structure and added the accuracy values in 1.2. Improved the pattern matching and introduced the plugin changelog in 2.0</plugin_changelog>
<plugin_protocol>tcp</plugin_protocol>
<plugin_port>80</plugin_port>
<plugin_procedure_exploit>open|send GET http://www.computec.ch/?%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20 HTTP/1.0\n\n|sleep|close|pattern_not_exists HTTP/1.1 200 OK*Server: NETGEAR: Content Filter/1.#*Access Denied by NETGEAR*</plugin_procedure_exploit>
<plugin_exploit_accuracy>97</plugin_exploit_accuracy>
<plugin_comment>This plugin was written with the ATK Attack Editor.</plugin_comment>
<bug_published_name>Marc Ruef</bug_published_name>
<bug_published_email>marc dot ruef at computec dot ch</bug_published_email>
<bug_published_web>http://www.computec.ch</bug_published_web>
<bug_published_company>computec.ch</bug_published_company>
<bug_published_date>2004/05/24</bug_published_date>
<bug_advisory>http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=667</bug_advisory>
<bug_affected>Netgear RP114</bug_affected>
<bug_not_affected>Other solutions</bug_not_affected>
<bug_vulnerability_class>Evasion</bug_vulnerability_class>
<bug_description>Netgear has some small router and firewalling devices for home users and small companies (SOHO). Most of these solutions are able to do a simple keyword based URL filtering. Lets say we don't want users to visit http://www.computec.ch so we create a filter for the keyword "computec.ch". If a user wants to access a domain that contains the string "computec.ch" (e.g. www.computec.ch or test.computec.ch) he will get a white html document that says "Blocked by NETGEAR". He is not able to see the requested document itself. The Netgear RP114 is not able to do the filtering if the requested URI is more than 220 bytes long. Other Netgear routers and firewalls may also be affected. If you are requesting the following URL, the attacker is able to see the requested web document without restriction. An attacker may be able to evade the URL black list and get access to disallowed ressources. This may be a buffer overflow and it may be possible to run arbitrary code on the Netgear device.</bug_description>
<bug_solution>Netgear may provide a new firmware or another workaround. It is suggested to install another URL filtering solution if this functionality is really needed. </bug_solution>
<bug_fixing_time>Approx. 45 minutes</bug_fixing_time>
<bug_exploit_availability>Yes</bug_exploit_availability>
<bug_exploit_url>http://www.computec.ch/projekte/atk/</bug_exploit_url>
<bug_remote>No</bug_remote>
<bug_local>No</bug_local>
<bug_severity>Medium</bug_severity>
<bug_popularity>6</bug_popularity>
<bug_simplicity>8</bug_simplicity>
<bug_impact>7</bug_impact>
<bug_risk>6</bug_risk>
<bug_check_tool>The ATK is able to exploit this vulnerability. Under some circumstances the WinAmp player is exploiting this vulnerability when fetching data from the Internet about a playing track. See also http://seclists.org/lists/bugtraq/2004/May/0263.html for more details.</bug_check_tool>
<source_securityfocus_bid>10404</source_securityfocus_bid>
<source_secunia_id>11698</source_secunia_id>
<source_securiteam_url>http://www.securiteam.com/securitynews/5VP0P15CUK.html</source_securiteam_url>
<source_securitytracker_id>1010263</source_securitytracker_id>
<source_scip_id>667</source_scip_id>
<source_literature>Hacking Intern - Angriffe, Strategien, Abwehr, Marc Ruef, Marko Rogge, Uwe Velten and Wolfram Gieseke, November 1, 2002, Data Becker, Düsseldorf, ISBN 381582284X</source_literature>
<source_misc>http://www.securiteam.com/securitynews/5HP01208AQ.html</source_misc>