[WLANware] FW: [wlanfhain] DoS vuln in various versions of Linksys routers. (fwd)

Juergen Neumann j.neumann
Mo Jun 7 11:20:12 CEST 2004 

-----BEGIN PGP SIGNED MESSAGE-----

FYI:

> -----Original Message-----
> From: wlanfhain-bounce at databang.org
> [mailto:wlanfhain-bounce at databang.org]On Behalf Of Marlen Caemmerer
> Sent: Friday, June 04, 2004 3:06 PM
> To: wlanfhain at databang.org
> Subject: [wlanfhain] DoS vuln in various versions of Linksys routers.
> (fwd)
> 
> 
> 
> 
> 
> ---------- Forwarded message ----------
> Date: 3 Jun 2004 08:28:24 -0000
> From: b0f www.b0f.net <b0fnet at yahoo.com>
> To: bugtraq at securityfocus.com
> Subject: DoS vuln in various versions of Linksys routers.
> 
> 
> 
> Denial of Service Vulnerability in
> Linksys BEFSR41 - Router vuln was identified and tested on.
> Linksys BEFSR41 v3
> Linksys BEFSRU31
> Linksys BEFSR11
> Linksys BEFSX41
> Linksys BEFSR81 v2/v3
> Linksys BEFW11S4 v3
> Linksys BEFW11S4 v4
> Available from www.linksys.com
> October 19, 2003 (Revised November 10, 2003)
> Released Date: 3rd June 2004
> NOTE: THIS ADVISORY WAS ORIGINALLY WITTEN FOR THE
> Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch
> 
> I. BACKGROUND
> 
> Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch
> "is the perfect option to connect multiple PCs to a high-speed
> Broadband Internet connection or to an Ethernet back-bone. Allowing
> up to 253 users, the built-in NAT technology acts as a firewall
> protecting your internal network." More information about it is
> available at
> http://www.linksys.com/products/product.asp?prid=20&grid=23
> 
> II. DESCRIPTION
> 
> It is possible for a remote/local attacker to crash the 
> linksys router and
> leave it in a state that it can't be accessed even after 
> reboot due to an
> invalid password. An attacker could set up a web page or send an html
> email to someone inside the LAN to indirectly send commands 
> to the router.
> An attacker could specify a URL that results in denial of 
> service. The DoS
> Occurs when 2 long strings are sent to the sysPasswd and 
> sysPasswdConfirm
> Parameters on the Gozila.cgi script, about 150 characters to 
> each parameter
> Seems to work fine. If an attacker can get the admin of the 
> router to view a link
> Or goto a webpage that links to such a link as this.
> 
> http://192.168.1.1/Gozila.cgi?sysPasswd=AAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&sysPasswdConfirm=AAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAA&UPnP_Work=1&FactoryDefaults=0
> 
> The router will drop all internet connections making the 
> internet inaccessible from the
> LAN even if the router is powered off and back on. It also 
> seems to change the
> password in such a way that the admin can't log back into the 
> router and the only way
> to solve it is by pressing the factory reset button on the 
> front of the router, Which will
> then reset all previously stored settings and reset the 
> password back to factory default
> 'admin'. The router would then need to be set back up again 
> from scratch.
> 
> 
> REVISED NOVEMBER 10, 2003
> 
> 
> On November 10 2003 I found another overflow in linksys 
> router which is a similar attack
> method to the first vuln in this advisory. The DoS occurs in 
> this attack when a long
> string about 350 characters is passed to the 'DomainName' 
> parameter of the Gozila.cgi
> script. An example of this attack would be to get the admin 
> of a router to visit a link
> like this.
> 
> http://192.168.1.1/Gozila.cgi?hostName=&DomainName=AAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&WANConnectionSel
> =0&ipAddr1=192&ipAddr2=168&
> ipAddr3=1&ipAddr4=1&netMask=0&WANConnectionType=1
> 
> This would cause the router to crash and the Factory reset 
> button on the front of the
> Router would need to be pressed to restore it back to normal 
> working order.
> 
> 
> 
> III. ANALYSIS
> 
> Exploitation may be particularly dangerous, especially if the 
> router's remote
> management capability is enabled. It may also be easily 
> exploited by fooling
> an admin of the router into clicking a link he/she thinks is 
> valid. This is probably
> vuln in older version of the firmware.
> 
> IV. DETECTION
> 
> This vulnerability affects the BEFSR41 EtherFast Cable/DSL 
> router with the latest
> firmware version 1.45.7  I also tested version 1.44.2z which 
> is also vuln so probably
> all other version below this are also vuln . It may also be 
> possible that other version of
> Linksys routers are vuln to this attack if they use the same 
> type of management. I'm unable
> to confirm any other models that are vuln to this attack. The 
> Linksys BEFSRU31 and BEFSR11
> use the same version of firmware as the BEFSR41 so they are 
> probably vuln.
> 
> NOTE ADDED June 3rd 2004:
> The Vendor confirmed this vuln in all version stated at the 
> start of this advisory
> 
> V. RECOVERY
> 
> Pressing the reset button on the front of the router and 
> setting it back up from scratch
> should restore normal functionality to the router.
> 
> VI. WORKAROUND
> 
> Don't click untrusted links.
> 
> VII. VENDOR
> 19 Oct 2003: First vuln discovered.
> 10 Nov 2003: Second vuln discovered.
> 01 Dec 2003: Vendor contacted via security at linksys.com
> 01 Dec 2003: Response Recived from jay.price at linksys.com
> 10 Dec 2003: Issue been turned over to project manager 
> andreas.bang at linksys.com
> 17 Dec 2003: I was sent a beta release of the new firmware 
> witch fixed the vuln but
>               had a bug where the logging function wouldn't work.
> 22 DEc 2003: andreas.bang at linksys.com now moved office now to 
> contact anbang at cisco.com
> 29 Jan 2004: Was told patches would be up in the next week
> 29 Feb 2004: They said there was a problem with the code, 
> still no patches
> 24 Mar 2004: Recived a email about patches saying.
>               BEFSR41 v3(Post on by 3/31)
>               BEFSX41 (posted)
>               BEFSR81 v2/v3(in progress)
>               BEFW11S4 v3(post by 3/31)
>               BEFW11S4 v4(posted)
> 02 Jun 2004: Advisory released to public still no patch for 
> the Linksys BEFSR41
>               EtherFast Cable/DSL Router with 4-Port Switch
>               http://www.linksys.com/download/firmware.asp?fwid=3
>               The version this advisory was first written for 
> it still   remains vuln to date.
> 
> 
> b0f (Alan McCaig)
> b0fnet at yahoo.com
> www.b0f.net
> 
> 
> 
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.700 / Virus Database: 457 - Release Date: 06.06.2004

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQEVAwUBQMQlPd3z6c5eZCFlAQG6LQf+KLhOIc65/GyemH0yiU/IbpeUI1sL+WSE
4fb/I3RS+amJvfqPMduyq0tIgx/GNCBErk5H30B1tTgyjGZoSfiYQ3d9X/ykQSYC
374OVdhM4fQqV62k9JHmkVrkX7+Cb8vxltoLXwvoudZlCkruJJZZAsxNwYWTjm6r
6EeyzAPCEYPmvQENK38MvnWniDG4lBbumMo6Ttm4bCNRMWzkklowujW5qqSQ5aIh
aLHtaJ3ypqeBjEb5WfjYIQU61rR42TVgMNd79PdhZrEyV7p0rLuKWEbDD+8usDYA
GZVFqG0+TGl+cMDbYEKdDwiiKCRAcM/fKvUd+Ol8pn+vLtr2Hik8Pw==
=urE1
-----END PGP SIGNATURE-----

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.700 / Virus Database: 457 - Release Date: 06.06.2004

_______________________________________________
WLANware mailing list
WLANware at freifunk.net
http://freifunk.net/mailman/listinfo/wlanware

Mehr Informationen über die Mailingliste Berlin