Vulnwatch mailing list archives
Re: IDEFENSE DOS in Linksys BEFSR41 EtherFast Cable/DSL Router + More issues DLINK & LINKSYS
From: "Mark Litchfield" <mark () ngssoftware com>
Date: Fri, 1 Nov 2002 14:51:08 -0800
I sent a mail to linksys about four days ago, and again two days ago, like yourself with no luck. There is also a Denial Of Service in their Access Points (not to mention that Dlink Routers and Access Points also have the same issue). My attack is different though than that mentioned. Both Dlink and Linksys are running Embedded HTTP Server (various versions), I suspect that many other vendors are also using this Web Server. Attack :- GET / HTTP/1.1 Host: Long Char String Infact by supplying any overly long request header field of any type ie User-Agent the Access Points or Servers will die. My guess is that there is a classic bufferoverun opportunity here, but sadly I am not aware of any method by which to first establish what the relevant process is, and how to attach a debugger to it with it being firmware. (Any help in this regard would be most appreciated). Again as was advised by iDefense disable the remote web management feature as a temporary fix. Regards Mark Litchfield NGS Software Ltd http://www.ngssoftware.com/ Tel: +44 208 40 100 70 (London) Tel: +44 1241 431 267 Mobile: +44 790 069 5236 Email: mark () ngssoftware com ----- Original Message ----- From: "David Endler" <dendler () idefense com> To: <vulnwatch () vulnwatch org> Sent: Thursday, October 31, 2002 6:09 PM Subject: [VulnWatch] iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 10.31.02a: http://www.idefense.com/advisory/10.31.02a.txt Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router October 31, 2002 I. BACKGROUND Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch "is the perfect option to connect multiple PCs to a high-speed Broadband Internet connection or to an Ethernet back-bone. Allowing up to 253 users, the built-in NAT technology acts as a firewall protecting your internal network." More information about it is available at http://www.linksys.com/products/product.asp?prid=20&grid=23. II. DESCRIPTION The BEFSR41 crashes if a remote and/or local attacker accesses the script Gozila.cgi using the router's IP address with no arguments. Remote exploitation requires that the router's remote management be enabled. A sample exploit looks as follows: http://192.168.1.1/Gozila.cgi? III. ANALYSIS Exploitation may be particularly dangerous, especially if the router's remote management capability is enabled. An attacker can trivially crash the router by directing the URL above to its external interface. In general, little reason exists to allow the web management feature to be accessible on the external interface of the router. It is feasible that this type of vulnerability exists in older firmware versions in other Linksys hardware. IV. DETECTION This vulnerability affects the BEFSR41 EtherFast Cable/DSL router with firmware earlier than version 1.42.7. V. RECOVERY Pressing the reset button on the back of the router should restore normal functionality. VI. WORKAROUND Ensure the remote web management feature is disabled, if unnecessary. VII. VENDOR FIX Firmware version 1.42.7 and later fix this problem. Version 1.43, which is the latest available version, can be found at http://www.linksys.com/download/firmware.asp?fwid=1. VIII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1236 to this issue. IX. DISCLOSURE TIMELINE 08/27/2002 Issue disclosed to iDEFENSE 09/12/2002 Linksys notified 09/12/2002 iDEFENSE clients notified 09/13/2002 Response received from maryann.gamboa () Linksys com 09/19/2002 Status request from iDEFENSE 09/20/2002 Asked to delay advisory until second level support can respond 10/20/2002 No response from second level support, another status request to maryann.gamboa () Linksys com 10/31/2002 Still no response from Linksys, public disclosure X. CREDIT Jeep 94 (lowjeep94 () hotmail com) is credited with discovering this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv () idefense com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world - from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler () idefense com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7 EE5vWSvk+ZFP7jIvXEPBGjGe =oTCt -----END PGP SIGNATURE-----
Current thread:
- iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router David Endler (Oct 31)
- Re: IDEFENSE DOS in Linksys BEFSR41 EtherFast Cable/DSL Router + More issues DLINK & LINKSYS Mark Litchfield (Nov 01)