SecuriTeam - NetGear RP114 Flooding DoS

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

"NetGear RP114 is a Cable or DSL Router".

By TCP SYN flooding the NetGear RP114 product, remote attackers can cause the route to deny any incoming communication to the device.

Credit:
The information has been provided by Marc Ruef.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* NetGear RP114

By starting a transit TCP SYN flooding the routing between the internal and the external interface is not possible anymore. An attacker can use this to prevent legitimate users from accessing connected networks (e.g. the WAN/Internet). Other devices by NetGear (e.g. routers and wlan access points) may be also affected.

Running TCP SYN flooding is very simple and can be realized by a large variety of public attack tools. But it is also possible to initialize such an attack my misusing a port scanning utility. Starting a scan with nmap by Fyodor with the following command is able to reproduce the denial of service:

nmap -PS80 192.168.0.0/24

It does not matter how many target ports or hosts are defined. It is just important to open approx. more than 740 persistent and half-open connections. It is also required to scan something on the other interface of the device than the attacker is connected to (e.g. scanning an external host by sitting on the internal interface and vice versa).

After a successful attack no further routing between the networks is possible anymore. This makes it impossible for legitimate users to connect to the Internet or another network segment. During this time direct connections to the affected device remains possible (e.g. connection to the web interface or ping).

Workarounds:
1. A reboot of the device can restore the productive status immediately.
2. Waiting for approximately 2 minuets for the device to flush all half-open connections and return to full operational status.

Vendor Status:
No response from NetGear came back. Due the fact the affected device RP114 is not listed on the web site anymore and the last firmware is dated back to 2002, no firmware update could be expected.

Disclosure Timeline:
11/23/05 Marc Ruef verifies the for a long time suspected flaw
11/24/05 Inform the vendor by sending an email to pressrelations-at-netgear.com
12/12/05 Public advisory

	Real Networks RealPlayer Compressed GIF Handling Integer Overflow
	RealNetworks RealPlayer CMediumBlockAllocator Integer Overflow Vulnerability
	SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability
	Skype URI Processing Arbitrary XML File Deletion Vulnerability
	Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability
	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution