Network Everywhere's NR041 Router contains a flaw that may allow a malicious user to inject code into the web-based administrive interface by sending a specifically crafted DHCP packet whith a modified DHCP HOSTNAME. The issue is triggered when an administrator access the logs via the web-based interface where their browser will interpret the injected code. It is possible that the flaw may allow a remote attacker to take control of the administrator's session resulting in a loss of integrity or availability.

The DHCPing utility can be used to inject the necessary values into DHCP HOSTNAME. Due to the 15 char limit on the variable, code can be injected to call a remote malicious site e.g. an iframe can be used to call a remote page. This page can then include any arbitrary code and has access to the administrative session. The provided exploit makes a call to the administrative interface to reset the router to it's factore setting, effectivley setting the username and password to their defaults:

Administrator: none
Password: admin

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):

Don't view logs via the web-based interface. Also as the DHCP HOSTNAME can only be injected from an attacker on the local network, monitoring for spurious DHCP packets is advisable.

• Security Tracker: 1011066
• Bugtraq ID: 11046
• Secunia Advisory ID: 12393
• ISS X-Force ID: 16468 17120
• CVE ID: 2004-1747 (see also: NVD)
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-08/0336.html
• Generic Informational URL: http://c3rb3r.openwall.net/dhcping/
• Generic Exploit URL: http://packetstormsecurity.nl/0406-exploits/dlink614.txt
• Vendor URL: http://www.networkeverywhere.com/
  http://www.networkeverywhere.com/products/nr041.asp

• Mathieu Lacroix - Daemonzvideotron.ca -