16th Apr 2003 [SBWID-6158]
Netgear routers logging vulnerability
At least Model: RP114 Firmware: V3.26
From [http://elaboration.8bit.co.uk/] :
There is a problem in the way Netgear routers log outgoing HTTP
connections which could lead to log corruption as well as dangerous
character or script injection.
Though this problem has only been confirmed for the above model it is
believed other models with the same or similar web administration
interface will also prove to be vulnerable. This assumption is made due
to the similar feature descriptions seen at the vendor's web site.
The problem lies in the way the device logs hostnames.
In the web administration interface the admin has access to content
filter logs. The device logs all unique outgoing TCP connections with a
destination port of 80 by default. The log records things like date and
time, source IP address and destination host. Unfortunately, instead of
the device independently resolving the hostname, the log entry is taken
from the client supplied HTTP request.
The HTTP query does not have to be successful for the log to be
written, meaning any data can be included.
This problem allows for various types of attack against the logging
mechanism. We also believe attacks could be launched against the Admin
It should also be mentioned that this problem can be exacerbated if the
email log alert option is configured (non-default). This could extend
the scope of possible attacks to MUAs and other clients.
Proof of Concept
To test if your Netgear device is vulnerable try:
echo GET / HTTP/1.1\r\nHost: vulnerable | nc www.netgear.com 80
Then check the content filter logs in the advanced menu of your Netgear
router. You should see a connection to host vulnerable instead of
We have been informed during previous communications with Netgear
support staff that the RP114 is a "discontinued device" and there is no
intention by Netgear to patch. However, due to the possible cross-model
nature of this problem Netgear were informed.
Support contact: [email protected]
Date informed: 07.04.03
First response: 09.04.03
Action taken: Referred to a HTML feedback form
Release date: 16.04.03
Official vendor response:
"Your request may be best addressed at Netgear's Engineer level at this link:
Nothing futher was received from the vendor after the initial response