Re: IDEFENSE DOS in Linksys BEFSR41 EtherFast Cable/DSL Router + More issues DLINK & LINKSYS

["Mark Litchfield" <mark () ngssoftware com>]

I sent a mail to linksys about four days ago, and again two days ago, like
yourself with no luck.  There is also a Denial Of Service in their Access
Points (not to mention that Dlink Routers and Access Points also have the
same issue).  My attack is different though than that mentioned.

Both Dlink and Linksys are running Embedded HTTP Server (various versions),
I suspect that many other vendors are also using this Web Server.

Attack :-

GET / HTTP/1.1
Host: Long Char String

Infact by supplying any overly long request header field of any type ie
User-Agent the Access Points or Servers will die.  My guess is that there is
a classic bufferoverun opportunity here, but sadly I am not aware of any
method by which to first establish what the relevant process is, and how to
attach a debugger to it with it being firmware.  (Any help in this regard
would be most appreciated).

Again as was advised by iDefense disable the remote web management feature
as a temporary fix.
Regards

Mark Litchfield
NGS Software Ltd
http://www.ngssoftware.com/
Tel: +44 208 40 100 70 (London)
Tel: +44 1241 431 267
Mobile: +44 790 069 5236
Email: mark () ngssoftware com

----- Original Message -----
From: "David Endler" <dendler () idefense com>
To: <vulnwatch () vulnwatch org>
Sent: Thursday, October 31, 2002 6:09 PM
Subject: [VulnWatch] iDEFENSE Security Advisory 10.31.02a: Denial of Service
Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDEFENSE Security Advisory 10.31.02a:
> http://www.idefense.com/advisory/10.31.02a.txt
> Denial of Service Vulnerability in Linksys BEFSR41 EtherFast
> Cable/DSL Router
> October 31, 2002
>
> I. BACKGROUND
>
> Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch
> "is the perfect option to connect multiple PCs to a high-speed
> Broadband Internet connection or to an Ethernet back-bone. Allowing
> up to 253 users, the built-in NAT technology acts as a firewall
> protecting your internal network." More information about it is
> available at
> http://www.linksys.com/products/product.asp?prid=20&grid=23.
>
> II. DESCRIPTION
>
> The BEFSR41 crashes if a remote and/or local attacker accesses the
> script Gozila.cgi using the router's IP address with no arguments.
> Remote exploitation requires that the router's remote management be
> enabled. A sample exploit looks as follows:
>
> http://192.168.1.1/Gozila.cgi?
>
> III. ANALYSIS
>
> Exploitation may be particularly dangerous, especially if the
> router's remote management capability is enabled. An attacker can
> trivially crash the router by directing the URL above to its external
> interface. In general, little reason exists to allow the web
> management feature to be accessible on the external interface of the
> router. It is feasible that this type of vulnerability exists in
> older firmware versions in other Linksys hardware.
>
> IV. DETECTION
>
> This vulnerability affects the BEFSR41 EtherFast Cable/DSL router
> with firmware earlier than version 1.42.7.
>
> V. RECOVERY
>
> Pressing the reset button on the back of the router should restore
> normal functionality.
>
> VI. WORKAROUND
>
> Ensure the remote web management feature is disabled, if unnecessary.
>
> VII. VENDOR FIX
>
> Firmware version 1.42.7 and later fix this problem. Version 1.43,
> which is the latest available version, can be found at
> http://www.linksys.com/download/firmware.asp?fwid=1.
>
> VIII. CVE INFORMATION
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2002-1236 to this issue.
>
> IX. DISCLOSURE TIMELINE
>
> 08/27/2002 Issue disclosed to iDEFENSE
> 09/12/2002 Linksys notified
> 09/12/2002 iDEFENSE clients notified
> 09/13/2002 Response received from
> maryann.gamboa () Linksys com
> 09/19/2002 Status request from iDEFENSE
> 09/20/2002 Asked to delay advisory until
> second level support can respond
> 10/20/2002 No response from second level support,
> another status request to maryann.gamboa () Linksys com
> 10/31/2002 Still no response from Linksys, public disclosure
>
> X. CREDIT
>
> Jeep 94 (lowjeep94 () hotmail com) is credited with discovering this
> vulnerability.
>
>
>
> Get paid for security research
> http://www.idefense.com/contributor.html
>
> Subscribe to iDEFENSE Advisories:
> send email to listserv () idefense com, subject line: "subscribe"
>
>
> About iDEFENSE:
>
> iDEFENSE is a global security intelligence company that proactively
> monitors sources throughout the world - from technical
> vulnerabilities and hacker profiling to the global spread of viruses
> and other malicious code. Our security intelligence services provide
> decision-makers, frontline security professionals and network
> administrators with timely access to actionable intelligence
> and decision support on cyber-related threats. For more information,
> visit http://www.idefense.com.
>
>
> - -dave
>
> David Endler, CISSP
> Director, Technical Intelligence
> iDEFENSE, Inc.
> 14151 Newbrook Drive
> Suite 100
> Chantilly, VA 20151
> voice: 703-344-2632
> fax: 703-961-1071
>
> dendler () idefense com
> www.idefense.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1.2
> Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
>
> iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7
> EE5vWSvk+ZFP7jIvXEPBGjGe
> =oTCt
> -----END PGP SIGNATURE-----