BugTraq
Back to list
|
Post reply
Re: iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
Nov 01 2002 06:35PM
Alex Harasic (aharasic terra cl)
In-Reply-To: <3DC19BF6.7734.81AE5A5@localhost>
I tested this vulnerability on a Linksys Wireless Access Point Router
with 4-Port Switch - BEFW11S4 Version 2 with firmware 1.42.7 and the
vulnerability is there too. It hangs the router for about 5 seconds,
after that it turns to normal functioning. Then I upgraded to last
firmware 1.43 and the vulnerability is there as well.
Alex S. Harasic
aharasic (at) nolink (dot) cl [email concealed]
>Received: (qmail 30406 invoked from network); 1 Nov 2002 14:58:52 -0000
>Received: from outgoing3.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 1 Nov 2002 14:58:52 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id 088AFA30A3; Fri, 1 Nov 2002 07:48:56 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 20635 invoked from network); 1 Nov 2002 01:43:05 -0000
>From: "David Endler" <dendler (at) idefense (dot) com [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Date: Thu, 31 Oct 2002 21:09:10 -0500
>Subject: iDEFENSE Security Advisory 10.31.02a: Denial of Service
Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
>Reply-To: dendler (at) idefense (dot) com [email concealed]
>Message-ID: <3DC19BF6.7734.81AE5A5@localhost>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>iDEFENSE Security Advisory 10.31.02a:
>http://www.idefense.com/advisory/10.31.02a.txt
>Denial of Service Vulnerability in Linksys BEFSR41 EtherFast
>Cable/DSL Router
>October 31, 2002
>
>I. BACKGROUND
>
>Linksys Group Inc.?s EtherFast Cable/DSL Router with 4-Port Switch
>?is the perfect option to connect multiple PCs to a high-speed
>Broadband Internet connection or to an Ethernet back-bone. Allowing
>up to 253 users, the built-in NAT technology acts as a firewall
>protecting your internal network." More information about it is
>available at
>http://www.linksys.com/products/product.asp?prid=20&grid=23.
>
>II. DESCRIPTION
>
>The BEFSR41 crashes if a remote and/or local attacker accesses the
>script Gozila.cgi using the router?s IP address with no arguments.
>Remote exploitation requires that the router's remote management be
>enabled. A sample exploit looks as follows:
>
>http://192.168.1.1/Gozila.cgi?
>
>III. ANALYSIS
>
>Exploitation may be particularly dangerous, especially if the
>router?s remote management capability is enabled. An attacker can
>trivially crash the router by directing the URL above to its external
>interface. In general, little reason exists to allow the web
>management feature to be accessible on the external interface of the
>router. It is feasible that this type of vulnerability exists in
>older firmware versions in other Linksys hardware.
>
>IV. DETECTION
>
>This vulnerability affects the BEFSR41 EtherFast Cable/DSL router
>with firmware earlier than version 1.42.7.
>
>V. RECOVERY
>
>Pressing the reset button on the back of the router should restore
>normal functionality.
>
>VI. WORKAROUND
>
>Ensure the remote web management feature is disabled, if unnecessary.
>
>VII. VENDOR FIX
>
>Firmware version 1.42.7 and later fix this problem. Version 1.43,
>which is the latest available version, can be found at
>http://www.linksys.com/download/firmware.asp?fwid=1.
>
>VIII. CVE INFORMATION
>
>The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
>has assigned the identification number CAN-2002-1236 to this issue.
>
>IX. DISCLOSURE TIMELINE
>
>08/27/2002 Issue disclosed to iDEFENSE
>09/12/2002 Linksys notified
>09/12/2002 iDEFENSE clients notified
>09/13/2002 Response received from
> maryann.gamboa (at) Linksys (dot) com [email concealed]
>09/19/2002 Status request from iDEFENSE
>09/20/2002 Asked to delay advisory until
> second level support can respond
>10/20/2002 No response from second level support,
> another status request to maryann.gamboa (at) Linksys (dot) com [email concealed]
>10/31/2002 Still no response from Linksys, public disclosure
>
>X. CREDIT
>
>Jeep 94 (lowjeep94 (at) hotmail (dot) com [email concealed]) is credited with discovering this
>vulnerability.
>
>
>
>Get paid for security research
>http://www.idefense.com/contributor.html
>
>Subscribe to iDEFENSE Advisories:
>send email to listserv (at) idefense (dot) com [email concealed], subject line: "subscribe"
>
>
>About iDEFENSE:
>
>iDEFENSE is a global security intelligence company that proactively
>monitors sources throughout the world ? from technical
>vulnerabilities and hacker profiling to the global spread of viruses
>and other malicious code. Our security intelligence services provide
>decision-makers, frontline security professionals and network
>administrators with timely access to actionable intelligence
>and decision support on cyber-related threats. For more information,
>visit http://www.idefense.com.
>
>
>- -dave
>
>David Endler, CISSP
>Director, Technical Intelligence
>iDEFENSE, Inc.
>14151 Newbrook Drive
>Suite 100
>Chantilly, VA 20151
>voice: 703-344-2632
>fax: 703-961-1071
>
>dendler (at) idefense (dot) com [email concealed]
>www.idefense.com
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1.2
>Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
>
>iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7
>EE5vWSvk+ZFP7jIvXEPBGjGe
>=oTCt
>-----END PGP SIGNATURE-----
>
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
I tested this vulnerability on a Linksys Wireless Access Point Router
with 4-Port Switch - BEFW11S4 Version 2 with firmware 1.42.7 and the
vulnerability is there too. It hangs the router for about 5 seconds,
after that it turns to normal functioning. Then I upgraded to last
firmware 1.43 and the vulnerability is there as well.
Alex S. Harasic
aharasic (at) nolink (dot) cl [email concealed]
>Received: (qmail 30406 invoked from network); 1 Nov 2002 14:58:52 -0000
>Received: from outgoing3.securityfocus.com (HELO
outgoing.securityfocus.com) (205.206.231.27)
> by mail.securityfocus.com with SMTP; 1 Nov 2002 14:58:52 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id 088AFA30A3; Fri, 1 Nov 2002 07:48:56 -0700 (MST)
>Mailing-List: contact bugtraq-help (at) securityfocus (dot) com [email concealed]; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq (at) securityfocus (dot) com [email concealed]>
>List-Help: <mailto:bugtraq-help (at) securityfocus (dot) com [email concealed]>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe (at) securityfocus (dot) com [email concealed]>
>List-Subscribe: <mailto:bugtraq-subscribe (at) securityfocus (dot) com [email concealed]>
>Delivered-To: mailing list bugtraq (at) securityfocus (dot) com [email concealed]
>Delivered-To: moderator for bugtraq (at) securityfocus (dot) com [email concealed]
>Received: (qmail 20635 invoked from network); 1 Nov 2002 01:43:05 -0000
>From: "David Endler" <dendler (at) idefense (dot) com [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Date: Thu, 31 Oct 2002 21:09:10 -0500
>Subject: iDEFENSE Security Advisory 10.31.02a: Denial of Service
Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
>Reply-To: dendler (at) idefense (dot) com [email concealed]
>Message-ID: <3DC19BF6.7734.81AE5A5@localhost>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>iDEFENSE Security Advisory 10.31.02a:
>http://www.idefense.com/advisory/10.31.02a.txt
>Denial of Service Vulnerability in Linksys BEFSR41 EtherFast
>Cable/DSL Router
>October 31, 2002
>
>I. BACKGROUND
>
>Linksys Group Inc.?s EtherFast Cable/DSL Router with 4-Port Switch
>?is the perfect option to connect multiple PCs to a high-speed
>Broadband Internet connection or to an Ethernet back-bone. Allowing
>up to 253 users, the built-in NAT technology acts as a firewall
>protecting your internal network." More information about it is
>available at
>http://www.linksys.com/products/product.asp?prid=20&grid=23.
>
>II. DESCRIPTION
>
>The BEFSR41 crashes if a remote and/or local attacker accesses the
>script Gozila.cgi using the router?s IP address with no arguments.
>Remote exploitation requires that the router's remote management be
>enabled. A sample exploit looks as follows:
>
>http://192.168.1.1/Gozila.cgi?
>
>III. ANALYSIS
>
>Exploitation may be particularly dangerous, especially if the
>router?s remote management capability is enabled. An attacker can
>trivially crash the router by directing the URL above to its external
>interface. In general, little reason exists to allow the web
>management feature to be accessible on the external interface of the
>router. It is feasible that this type of vulnerability exists in
>older firmware versions in other Linksys hardware.
>
>IV. DETECTION
>
>This vulnerability affects the BEFSR41 EtherFast Cable/DSL router
>with firmware earlier than version 1.42.7.
>
>V. RECOVERY
>
>Pressing the reset button on the back of the router should restore
>normal functionality.
>
>VI. WORKAROUND
>
>Ensure the remote web management feature is disabled, if unnecessary.
>
>VII. VENDOR FIX
>
>Firmware version 1.42.7 and later fix this problem. Version 1.43,
>which is the latest available version, can be found at
>http://www.linksys.com/download/firmware.asp?fwid=1.
>
>VIII. CVE INFORMATION
>
>The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
>has assigned the identification number CAN-2002-1236 to this issue.
>
>IX. DISCLOSURE TIMELINE
>
>08/27/2002 Issue disclosed to iDEFENSE
>09/12/2002 Linksys notified
>09/12/2002 iDEFENSE clients notified
>09/13/2002 Response received from
> maryann.gamboa (at) Linksys (dot) com [email concealed]
>09/19/2002 Status request from iDEFENSE
>09/20/2002 Asked to delay advisory until
> second level support can respond
>10/20/2002 No response from second level support,
> another status request to maryann.gamboa (at) Linksys (dot) com [email concealed]
>10/31/2002 Still no response from Linksys, public disclosure
>
>X. CREDIT
>
>Jeep 94 (lowjeep94 (at) hotmail (dot) com [email concealed]) is credited with discovering this
>vulnerability.
>
>
>
>Get paid for security research
>http://www.idefense.com/contributor.html
>
>Subscribe to iDEFENSE Advisories:
>send email to listserv (at) idefense (dot) com [email concealed], subject line: "subscribe"
>
>
>About iDEFENSE:
>
>iDEFENSE is a global security intelligence company that proactively
>monitors sources throughout the world ? from technical
>vulnerabilities and hacker profiling to the global spread of viruses
>and other malicious code. Our security intelligence services provide
>decision-makers, frontline security professionals and network
>administrators with timely access to actionable intelligence
>and decision support on cyber-related threats. For more information,
>visit http://www.idefense.com.
>
>
>- -dave
>
>David Endler, CISSP
>Director, Technical Intelligence
>iDEFENSE, Inc.
>14151 Newbrook Drive
>Suite 100
>Chantilly, VA 20151
>voice: 703-344-2632
>fax: 703-961-1071
>
>dendler (at) idefense (dot) com [email concealed]
>www.idefense.com
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1.2
>Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
>
>iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7
>EE5vWSvk+ZFP7jIvXEPBGjGe
>=oTCt
>-----END PGP SIGNATURE-----
>
[ reply ]