[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router



In-Reply-To: <3DC19BF6.7734.81AE5A5@localhost>

I tested this vulnerability on a Linksys Wireless Access Point Router 
with 4-Port Switch - BEFW11S4 Version 2 with firmware 1.42.7 and the 
vulnerability is there too. It hangs the router for about 5 seconds, 
after that it turns to normal functioning. Then I upgraded to last 
firmware 1.43 and the vulnerability is there as well.


Alex S. Harasic
aharasic@xxxxxxxxx




>Received: (qmail 30406 invoked from network); 1 Nov 2002 14:58:52 -0000
>Received: from outgoing3.securityfocus.com (HELO 
outgoing.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 1 Nov 2002 14:58:52 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>	by outgoing.securityfocus.com (Postfix) with QMQP
>	id 088AFA30A3; Fri,  1 Nov 2002 07:48:56 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 20635 invoked from network); 1 Nov 2002 01:43:05 -0000
>From: "David Endler" <dendler@xxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Date: Thu, 31 Oct 2002 21:09:10 -0500
>Subject: iDEFENSE Security Advisory 10.31.02a: Denial of Service 
Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
>Reply-To: dendler@xxxxxxxxxxxx
>Message-ID: <3DC19BF6.7734.81AE5A5@localhost>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>iDEFENSE Security Advisory 10.31.02a:
>http://www.idefense.com/advisory/10.31.02a.txt
>Denial of Service Vulnerability in Linksys BEFSR41 EtherFast
>Cable/DSL Router
>October 31, 2002
>
>I. BACKGROUND
>
>Linksys Group Inc.?s EtherFast Cable/DSL Router with 4-Port Switch
>?is the perfect option to connect multiple PCs to a high-speed
>Broadband Internet connection or to an Ethernet back-bone. Allowing
>up to 253 users, the built-in NAT technology acts as a firewall
>protecting your internal network." More information about it is
>available at
>http://www.linksys.com/products/product.asp?prid=20&grid=23.
>
>II. DESCRIPTION
>
>The BEFSR41 crashes if a remote and/or local attacker accesses the
>script Gozila.cgi using the router?s IP address with no arguments.
>Remote exploitation requires that the router's remote management be
>enabled. A sample exploit looks as follows:
>
>http://192.168.1.1/Gozila.cgi?
>
>III. ANALYSIS
>
>Exploitation may be particularly dangerous, especially if the
>router?s remote management capability is enabled. An attacker can
>trivially crash the router by directing the URL above to its external
>interface. In general, little reason exists to allow the web
>management feature to be accessible on the external interface of the
>router. It is feasible that this type of vulnerability exists in
>older firmware versions in other Linksys hardware.
>
>IV. DETECTION
>
>This vulnerability affects the BEFSR41 EtherFast Cable/DSL router
>with firmware earlier than version 1.42.7.
>
>V. RECOVERY
>
>Pressing the reset button on the back of the router should restore
>normal functionality.
>
>VI. WORKAROUND
>
>Ensure the remote web management feature is disabled, if unnecessary.
>
>VII. VENDOR FIX
>
>Firmware version 1.42.7 and later fix this problem. Version 1.43,
>which is the latest available version, can be found at
>http://www.linksys.com/download/firmware.asp?fwid=1.
>
>VIII. CVE INFORMATION
>
>The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
>has assigned the identification number CAN-2002-1236 to this issue.
>
>IX. DISCLOSURE TIMELINE
>
>08/27/2002	Issue disclosed to iDEFENSE
>09/12/2002	Linksys notified
>09/12/2002	iDEFENSE clients notified
>09/13/2002	Response received from 
>		maryann.gamboa@xxxxxxxxxxx
>09/19/2002	Status request from iDEFENSE
>09/20/2002	Asked to delay advisory until 
>		second level support can respond
>10/20/2002	No response from second level support, 
>		another status request to maryann.gamboa@xxxxxxxxxxx
>10/31/2002	Still no response from Linksys, public disclosure
>
>X. CREDIT
>
>Jeep 94 (lowjeep94@xxxxxxxxxxx) is credited with discovering this
>vulnerability.
>
>
>
>Get paid for security research
>http://www.idefense.com/contributor.html
>
>Subscribe to iDEFENSE Advisories:
>send email to listserv@xxxxxxxxxxxx, subject line: "subscribe"
>
>
>About iDEFENSE:
>
>iDEFENSE is a global security intelligence company that proactively
>monitors sources throughout the world ? from technical
>vulnerabilities and hacker profiling to the global spread of viruses
>and other malicious code. Our security intelligence services provide 
>decision-makers, frontline security professionals and network 
>administrators with timely access to actionable intelligence
>and decision support on cyber-related threats. For more information,
>visit http://www.idefense.com.
>
>
>- -dave
>
>David Endler, CISSP
>Director, Technical Intelligence
>iDEFENSE, Inc.
>14151 Newbrook Drive
>Suite 100
>Chantilly, VA 20151
>voice: 703-344-2632
>fax: 703-961-1071
>
>dendler@xxxxxxxxxxxx
>www.idefense.com
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1.2
>Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
>
>iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7
>EE5vWSvk+ZFP7jIvXEPBGjGe
>=oTCt
>-----END PGP SIGNATURE-----
>