Linksys BEFSR41 DHCP vulnerability server leaks network data

[Lance Armstrong <mishlai () hotmail com>]

On May 2nd 2004 I sent an email (detailed below) to Linksys concerning this vulnerability.  Linksys has posted the 
vulnerability and a fix for the Revision 3 router since then here:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNoPSZwX3NvcnRfYnk9JnBfZ3JpZHNvcnQ9JnBfcm93X2NudD02NTQmcF9wYWdlPTE*&p_li=

Upgrades for Revs 1 & 2 are promised soon.

More details are included in the email:
************************
Linksys,

I believe I have found a vulnerability in your BEFSR41 router.  

The vulnerability involves a buffer leakage in the DHCP service. As a result, data that has recently passed through the 
router can be compromised by an attacker on the LAN.

This vulnerability was tested with firmware version 1.45.7

Conditions required to exploit the vulnerability:
1) An attacking host on the LAN side of the router that can broadcast DHCP-INFORM packets to the LAN.  
2) A sniffer on the attacking host to record the router's response packets.
3) Data has recently passed between the LAN and WAN sides of the router.
4) DHCP is enabled on the router.

Details
I used a Windows 2000 DHCP server to create the DHCP-INFORM packets.  The server broadcasts the DHCP-INFORM message 
once an hour, or when the service is restarted.  These packets must be broadcast to the LAN side of the router.

If DHCP is enabled on the Router, it will respond to each broadcast with a packet containing leaked buffer data.  The 
response is sent directly to the IP address of the attacking host.  Approximately 488 bytes of the 590 byte response 
comes from the router's buffer, providing easily recognizable fragments of recently viewed web pages, etc.

Effects of the vulnerability:
Data that has passed through the router recently can be compromised by an attacker with access to the LAN.  This can 
include email sent or received, web pages viewed, and passwords (cleartext or weakly encrypted) that have been used by 
a LAN client to access a WAN resource or vice versa.

Interesting notes about the vulnerability that make it more difficult to detect an attacker.
- The attack does not rely on traditional methods to overcome switched networks. 

- The attacking host does not need to place its NIC in promiscuous mode.  

- It is also possible to craft DHCP-INFORM packets that are not broadcast, but directed at the router's address.

- This vulnerability also makes it possible to view data that was passed through the router at some time in the past, 
making it unnecessary to capture the traffic when it actually occurs.  This makes the physical aspect of security more 
difficult.  The victim and the attacker do not have to be on the LAN at the same time.

Here is an example of that last point:
1) A LAN user is visiting a website that requires HTTP-BASIC authentication, logs in, reads a few pages, and then 
closes the web browser.

2) At some point in the future, the attacker begins making DHCP-INFORM broadcasts from the LAN and collecting the 
buffer leakage that results.

3) Among the leaked data is the base64 encoded authorization that was used to access the HTTP-BASIC authenticated 
website.  The user's password has now been compromised.

Mitigating Factors

- The attacker must be on the LAN. 

- Only data which is still in the buffer can be compromised.  This limits the vulnerable data to the last few most 
recently visited web pages or a similar amount of data.

- Passing "unimportant" data through the router will flush the buffer and prevent the compromise of more important data.

- Cycling power to the router will clear the buffer.

- The DHCP service can be disabled on the router, removing the vulnerability entirely.

Moving Forward

It is my intention to post this vulnerability on Bugtraq in 1 month.  However, I want to give Linksys every opportunity 
to prepare a fix for this vulnerability before it is made public.  If more than 1 month will be required to resolve 
this issue, please let me know and I will work with you. 

I hope I have not left out any important details.  Please do not hesitate to contact me if you have any questions, and 
I wish you the best of luck in finding a solution.  Capture files of the vulnerability being exploited are available to 
you if you need them.

Sincerely,

Lance Armstrong
********************

The response I received from Linksys on 5/3/2004 led me to believe that I was the first to bring this to their 
attention, but the Linksys posting did not credit anyone specifically with finding the vulnerability.