[WLANware] FW: [wlanfhain] DoS vuln in various versions of Linksys routers. (fwd)
Mo Jun 7 11:20:12 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
> -----Original Message-----
> From: wlanfhain-bounce at databang.org
> [mailto:wlanfhain-bounce at databang.org]On Behalf Of Marlen Caemmerer
> Sent: Friday, June 04, 2004 3:06 PM
> To: wlanfhain at databang.org
> Subject: [wlanfhain] DoS vuln in various versions of Linksys routers.
> ---------- Forwarded message ----------
> Date: 3 Jun 2004 08:28:24 -0000
> From: b0f www.b0f.net <b0fnet at yahoo.com>
> To: bugtraq at securityfocus.com
> Subject: DoS vuln in various versions of Linksys routers.
> Denial of Service Vulnerability in
> Linksys BEFSR41 - Router vuln was identified and tested on.
> Linksys BEFSR41 v3
> Linksys BEFSRU31
> Linksys BEFSR11
> Linksys BEFSX41
> Linksys BEFSR81 v2/v3
> Linksys BEFW11S4 v3
> Linksys BEFW11S4 v4
> Available from www.linksys.com
> October 19, 2003 (Revised November 10, 2003)
> Released Date: 3rd June 2004
> NOTE: THIS ADVISORY WAS ORIGINALLY WITTEN FOR THE
> Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch
> I. BACKGROUND
> Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch
> "is the perfect option to connect multiple PCs to a high-speed
> Broadband Internet connection or to an Ethernet back-bone. Allowing
> up to 253 users, the built-in NAT technology acts as a firewall
> protecting your internal network." More information about it is
> available at
> II. DESCRIPTION
> It is possible for a remote/local attacker to crash the
> linksys router and
> leave it in a state that it can't be accessed even after
> reboot due to an
> invalid password. An attacker could set up a web page or send an html
> email to someone inside the LAN to indirectly send commands
> to the router.
> An attacker could specify a URL that results in denial of
> service. The DoS
> Occurs when 2 long strings are sent to the sysPasswd and
> Parameters on the Gozila.cgi script, about 150 characters to
> each parameter
> Seems to work fine. If an attacker can get the admin of the
> router to view a link
> Or goto a webpage that links to such a link as this.
> The router will drop all internet connections making the
> internet inaccessible from the
> LAN even if the router is powered off and back on. It also
> seems to change the
> password in such a way that the admin can't log back into the
> router and the only way
> to solve it is by pressing the factory reset button on the
> front of the router, Which will
> then reset all previously stored settings and reset the
> password back to factory default
> 'admin'. The router would then need to be set back up again
> from scratch.
> REVISED NOVEMBER 10, 2003
> On November 10 2003 I found another overflow in linksys
> router which is a similar attack
> method to the first vuln in this advisory. The DoS occurs in
> this attack when a long
> string about 350 characters is passed to the 'DomainName'
> parameter of the Gozila.cgi
> script. An example of this attack would be to get the admin
> of a router to visit a link
> like this.
> This would cause the router to crash and the Factory reset
> button on the front of the
> Router would need to be pressed to restore it back to normal
> working order.
> III. ANALYSIS
> Exploitation may be particularly dangerous, especially if the
> router's remote
> management capability is enabled. It may also be easily
> exploited by fooling
> an admin of the router into clicking a link he/she thinks is
> valid. This is probably
> vuln in older version of the firmware.
> IV. DETECTION
> This vulnerability affects the BEFSR41 EtherFast Cable/DSL
> router with the latest
> firmware version 1.45.7 I also tested version 1.44.2z which
> is also vuln so probably
> all other version below this are also vuln . It may also be
> possible that other version of
> Linksys routers are vuln to this attack if they use the same
> type of management. I'm unable
> to confirm any other models that are vuln to this attack. The
> Linksys BEFSRU31 and BEFSR11
> use the same version of firmware as the BEFSR41 so they are
> probably vuln.
> NOTE ADDED June 3rd 2004:
> The Vendor confirmed this vuln in all version stated at the
> start of this advisory
> V. RECOVERY
> Pressing the reset button on the front of the router and
> setting it back up from scratch
> should restore normal functionality to the router.
> VI. WORKAROUND
> Don't click untrusted links.
> VII. VENDOR
> 19 Oct 2003: First vuln discovered.
> 10 Nov 2003: Second vuln discovered.
> 01 Dec 2003: Vendor contacted via security at linksys.com
> 01 Dec 2003: Response Recived from jay.price at linksys.com
> 10 Dec 2003: Issue been turned over to project manager
> andreas.bang at linksys.com
> 17 Dec 2003: I was sent a beta release of the new firmware
> witch fixed the vuln but
> had a bug where the logging function wouldn't work.
> 22 DEc 2003: andreas.bang at linksys.com now moved office now to
> contact anbang at cisco.com
> 29 Jan 2004: Was told patches would be up in the next week
> 29 Feb 2004: They said there was a problem with the code,
> still no patches
> 24 Mar 2004: Recived a email about patches saying.
> BEFSR41 v3(Post on by 3/31)
> BEFSX41 (posted)
> BEFSR81 v2/v3(in progress)
> BEFW11S4 v3(post by 3/31)
> BEFW11S4 v4(posted)
> 02 Jun 2004: Advisory released to public still no patch for
> the Linksys BEFSR41
> EtherFast Cable/DSL Router with 4-Port Switch
> The version this advisory was first written for
> it still remains vuln to date.
> b0f (Alan McCaig)
> b0fnet at yahoo.com
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.700 / Virus Database: 457 - Release Date: 06.06.2004
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
-----END PGP SIGNATURE-----
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.700 / Virus Database: 457 - Release Date: 06.06.2004
WLANware mailing list
WLANware at freifunk.net
Mehr Informationen über die Mailingliste Berlin