netgear-xss.txt
Posted on 16 October 2007
----------------------------- || WWW.SMASH-THE-STACK.NET || ----------------------------- || ADVISORY: NETGEAR SSL312 XSS VULNERABILITY _____________________ || 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: RISK LEVEL ____________________________________________________________ ____________________________________________________________ _________________ || 0x00: ABOUT ME Author: SkyOut Date: October 2007 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: www.smash-the-stack.net _________________ || 0x01: DATELINE 2007-10-08: Bug found 2007-10-09: Phone call with Netgear Germany 2007-10-09: Email with notification sent to Netgear Germany 2007-10-12: Still no reaction from Netgear Germany 2007-10-13: Advisory released ____________________ || 0x02: INFORMATION In the product "Netgear SSL312 PROSAFE SSL VPN-Concentrator 25", which is a VPN router for smaller to medium business companies and priced about 400 Euro, a bug occurs in the login page due to the fact of an unfiltered variable. It is possible to execute JavaScript code on the webinterface. It may be possible, that other products of this series are vulnerable to this bug, too (not tested!). _____________________ || 0x03: EXPLOITATION To exploit this bug no exploit is needed, all can be done trough the webinterface of the router in five simple steps: STEP 1: Go to the webinterface of the router, located at "/cgi-bin/welcome" by default. STEP 2: Wihout giving any further parameters click LOGIN. STEP 3: An error page will occurr with a variable (default is "err") in the URL. Example: "/cgi-bin/welcome/XYZ?err=" STEP 4: Manipulate the URL and put your script code into the variable. Demo: "/cgi-bin/welcome/XYZ?err=<script>alert('XSS');</script>" STEP 5: Click ENTER and the demo popup will show up. The script code has been successfully executed. ___________________ || 0x04: RISK LEVEL I would consider this a smaller bug, that can only be used in very specific situations. A successfull exploitation of this bug could lead to Session Hijacking. <!> Happy Hacking <!> ____________________________________________________________ ____________________________________________________________ THE END _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/