Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

LG Electronics LG3001f router

From: "Bromirski, Lukasz" <LBromirski () techdata pl>
Date: Wed, 21 Aug 2002 11:10:33 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Issue: ----------------------------------------------------------------|

 LG Electronics LR3001f is a WAN router. It comes with no access
 lists defined, which enables administrator to connect both to
 port 23/tcp (telnet) and 80/tcp (www server). However, IP stack of
 LR3001f has several bugs, that can be exploited via network.

Description: ----------------------------------------------------------|

 When configured without access lists protecting ports 23 or/and 80,
 the LR3001f is vulnerable to at least two bugs, resulting from
 memory allocation function buffer overflows.
   
 First is exploitable without any access to user account at the
 router. Only thing needed is access to port 23/tcp or 80/tcp. If
 the router is attacked with data stream (can be any characters,
 both randomized and text-only input was used during testing)
 targeted at one of the mentioned ports it will reboot, with one of
 the following messages:
   
 Router# [BUFFER] Unknown free 0xffffffff
 Router# can't malloc

 or

 Router# [BUFFER] ERROR free not in use
 Router# can't malloc

 Second bug is directly in the telnet service, when checking
 passwords. The same technique with random data stream is used,
 however few ENTER characters should be sent at first, to overcome
 router primary prompt waiting for that key to be pressed. In this
 case, router reboots with no message.

Vulnerable versions: --------------------------------------------------|

 All software versions up to and including 4.0 are vulnerable to all
 those types of attack.
   
 4.57 version downloadable from vendor website is vulnerable to second
 type of attack, however is not vulnerable to first type of attack.
   
 The vendor representative was informed about the vulnerabilities on
 2002-04-18. LG did not respond in any way and have not released any
 fixed or new software version.

Info on this advisory: ------------------------------------------------|

 This advisory can be accessed on-line at my personal site:
 http://mr0vka.eu.org/docs/advisories/lg-3001f-2002-04-18.txt
   
 My personal PGP key fingerprint is:
 5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C49
 My personal PGP key is located at:
 http://mr0vka.eu.org/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9Y1PDYqhjwgk7bEkRAphSAKDSip0f/1KhFKueNzGsyl5DcGaLSQCdF7LB
7+JjSjDOvMRTUt8uvtW9A80=
=AJQc
-----END PGP SIGNATURE----- 

-- 
Ɓukasz Bromirski                    lbromirski[at]mr0vka.eu.org
PGP key http://mr0vka.eu.org/pgp.asc       http://mr0vka.eu.org
PGP finger   5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C49
Previous By Date Next
Previous By Thread Next

Current thread: