exploit the possibilities

NetGearRP114DoS.txt

NetGearRP114DoS.txt
Posted Dec 14, 2005
Authored by Marc Ruef | Site scip.ch

Marc Ruef found an old fashioned denial of service flaw in the NetGear RP114 device.

tags | advisory, denial of service
MD5 | 3324c8625d16b293772c9133758ac086

NetGearRP114DoS.txt

Change Mirror Download
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NetGear RP114 TCP SYN Flooding Denial of Service

scip AG Vulnerability (12/12/2005)

I. INTRODUCTION

NetGear is a popular manufacturer for network devices. Especially their
SOHO and appliance boxes are widely in private use. One of the user
products is RP114, a hub device with additional routing, packet and
simple content filtering functionality.

More Information are available at the official NetGear web site:

http://www.netgear.com

II. DESCRIPTION

Marc Ruef found an old fashioned denial of service flaw in this device.
By starting a transit TCP SYN flooding the routing between the internal
and the external interface is not possible anymore. An attacker can use
this to prevent legitimate users from accessing connected networks (e.g.
the WAN/Internet). Other devices by NetGear (e.g. routers and wlan
access points) may be also affected.

III. EXPLOITATION

Running TCP SYN flooding is very simple and can be realized by a large
variety of public attack tools. But it is also possible to initialize
such an attack my misusing a port scanning utility. Starting a scan with
nmap by Fyodor with the following command is able to reproduce the
denial of service:

nmap -PS80 192.168.0.0/24

It does not matter how many target ports or hosts are defined. It is
just important to open approx. more than 740 persistant and half-open
connections. It is also required to scan something on the other
interface of the device than the attacker is connected to (e.g. scanning
an external host by sitting on the internal interface and vice versa).

IV. IMPACT

After a successfull attack no further routing between the networks is
possible anymore. This makes it impossible for legitimate users to
connect to the Internet or another network segment. During this time
direct connections to the affected device remains possible (e.g.
connection to the web interface or ping).

Just a reboot of the device can restore the productive status
immediately. Or you have to wait approx. 2 minutes for the device to
flush all half-open connections and return to full operational status.

V. DETECTION

The detection of this attack is not possible on the device itself. But
further security devices (e.g. dedicated firewalls or intrusion
detection systems) are able to detect this kind of classical attack.

VI. WORKAROUND

Do not plug the RP114 in not-trusted networks where the inter-connection
requires a high availability. In this case move to more professional
hardware that is able to handle a large amount of persistant connections
adequately.

VII. VENDOR RESPONSE

No response from NetGear came back. Due the fact the affected device
RP114 is not listed on the web site anymore and the last firmware is
dated back to 2002, no firmware update could be expected.

VIII. SOURCES

scip AG Vulnerability Database (german)
http://www.scip.ch/cgi-bin/smss/showadvf.pl

scip monthly Security Summary (german)
http://www.scip.ch/publikationen/smss/

computec.ch document data base (german)
http://www.computec.ch/download.php?list.7 (Denial of Service)
http://www.computec.ch/download.php?list.8 (Firewalling)
http://www.computec.ch/download.php?list.11 (Networking)

IX. DISCLOSURE TIMELINE

11/23/05 Marc Ruef verifies the for a long time suspected flaw
11/24/05 Inform the vendor by sending an email to
pressrelations-at-netgear.com
12/12/05 Public advisory

X. CREDITS

The vulnerability was discovered and analyzed by Marc Ruef at scip AG,
Switzerland.

Marc Ruef, scip AG
maru-at-scip.ch
http://www.scip.ch

A1. BIBLIOGRAPHY

See VIII. for some useful web ressources.

A2. LEGAL NOTICES

Copyright (c) 2005 by scip AG, Switzerland.

Permission is granted for the re-distribution of this alert. It may not
be edited in any way without permission of scip AG.

The information in the advisory is believed to be accurate at the time
of publishing. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect or consequential loss or damage from use of or reliance
on this advisory.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch

iQA/AwUBQ508Dhe5hzJzqVMhEQLEagCfWfWq7GDfBBKu64QwoXTnt43aF84AoJwS
T4IiiG+jatHKlgo9aguvrwyn
=59cT
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close