|
|
Info |
Last Modified |
| 7 months ago |
|
|
|
|
Description |
Network Everywhere's NR041 Router contains a flaw that may allow a malicious user to inject code into the web-based administrive interface by sending a specifically crafted DHCP packet whith a modified DHCP HOSTNAME. The issue is triggered when an administrator access the logs via the web-based interface where their browser will interpret the injected code. It is possible that the flaw may allow a remote attacker to take control of the administrator's session resulting in a loss of integrity or availability.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure,
Input Manipulation
Impact:
Loss of Integrity,
Loss of Availability
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Technical |
The DHCPing utility can be used to inject the necessary values into DHCP HOSTNAME. Due to the 15 char limit on the variable, code can be injected to call a remote malicious site e.g. an iframe can be used to call a remote page. This page can then include any arbitrary code and has access to the administrative session. The provided exploit makes a call to the administrative interface to reset the router to it's factore setting, effectivley setting the username and password to their defaults:
Administrator: none
Password: admin
|
|
Solution |
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):
Don't view logs via the web-based interface. Also as the DHCP HOSTNAME can only be injected from an attacker on the local network, monitoring for spurious DHCP packets is advisable.
|
|
Products |
|
NR041 Cable/DSL 4-port Router
 |
1.2 Release 03 |
|
|
|
|
Credit |
- Mathieu Lacroix - Daemonz
 videotron.ca -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
