[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router

In-Reply-To: <3DC19BF6.7734.81AE5A5@localhost>

I tested this vulnerability on a Linksys Wireless Access Point Router 
with 4-Port Switch - BEFW11S4 Version 2 with firmware 1.42.7 and the 
vulnerability is there too. It hangs the router for about 5 seconds, 
after that it turns to normal functioning. Then I upgraded to last 
firmware 1.43 and the vulnerability is there as well.

Alex S. Harasic

>Received: (qmail 30406 invoked from network); 1 Nov 2002 14:58:52 -0000
>Received: from outgoing3.securityfocus.com (HELO 
outgoing.securityfocus.com) (
>  by mail.securityfocus.com with SMTP; 1 Nov 2002 14:58:52 -0000
>Received: from lists.securityfocus.com (lists.securityfocus.com 
>	by outgoing.securityfocus.com (Postfix) with QMQP
>	id 088AFA30A3; Fri,  1 Nov 2002 07:48:56 -0700 (MST)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 20635 invoked from network); 1 Nov 2002 01:43:05 -0000
>From: "David Endler" <dendler@xxxxxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Date: Thu, 31 Oct 2002 21:09:10 -0500
>Subject: iDEFENSE Security Advisory 10.31.02a: Denial of Service 
Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
>Reply-To: dendler@xxxxxxxxxxxx
>Message-ID: <3DC19BF6.7734.81AE5A5@localhost>
>Hash: SHA1
>iDEFENSE Security Advisory 10.31.02a:
>Denial of Service Vulnerability in Linksys BEFSR41 EtherFast
>Cable/DSL Router
>October 31, 2002
>Linksys Group Inc.?s EtherFast Cable/DSL Router with 4-Port Switch
>?is the perfect option to connect multiple PCs to a high-speed
>Broadband Internet connection or to an Ethernet back-bone. Allowing
>up to 253 users, the built-in NAT technology acts as a firewall
>protecting your internal network." More information about it is
>available at
>The BEFSR41 crashes if a remote and/or local attacker accesses the
>script Gozila.cgi using the router?s IP address with no arguments.
>Remote exploitation requires that the router's remote management be
>enabled. A sample exploit looks as follows:
>Exploitation may be particularly dangerous, especially if the
>router?s remote management capability is enabled. An attacker can
>trivially crash the router by directing the URL above to its external
>interface. In general, little reason exists to allow the web
>management feature to be accessible on the external interface of the
>router. It is feasible that this type of vulnerability exists in
>older firmware versions in other Linksys hardware.
>This vulnerability affects the BEFSR41 EtherFast Cable/DSL router
>with firmware earlier than version 1.42.7.
>Pressing the reset button on the back of the router should restore
>normal functionality.
>Ensure the remote web management feature is disabled, if unnecessary.
>Firmware version 1.42.7 and later fix this problem. Version 1.43,
>which is the latest available version, can be found at
>The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
>has assigned the identification number CAN-2002-1236 to this issue.
>08/27/2002	Issue disclosed to iDEFENSE
>09/12/2002	Linksys notified
>09/12/2002	iDEFENSE clients notified
>09/13/2002	Response received from 
>		maryann.gamboa@xxxxxxxxxxx
>09/19/2002	Status request from iDEFENSE
>09/20/2002	Asked to delay advisory until 
>		second level support can respond
>10/20/2002	No response from second level support, 
>		another status request to maryann.gamboa@xxxxxxxxxxx
>10/31/2002	Still no response from Linksys, public disclosure
>Jeep 94 (lowjeep94@xxxxxxxxxxx) is credited with discovering this
>Get paid for security research
>Subscribe to iDEFENSE Advisories:
>send email to listserv@xxxxxxxxxxxx, subject line: "subscribe"
>About iDEFENSE:
>iDEFENSE is a global security intelligence company that proactively
>monitors sources throughout the world ? from technical
>vulnerabilities and hacker profiling to the global spread of viruses
>and other malicious code. Our security intelligence services provide 
>decision-makers, frontline security professionals and network 
>administrators with timely access to actionable intelligence
>and decision support on cyber-related threats. For more information,
>visit http://www.idefense.com.
>- -dave
>David Endler, CISSP
>Director, Technical Intelligence
>14151 Newbrook Drive
>Suite 100
>Chantilly, VA 20151
>voice: 703-344-2632
>fax: 703-961-1071
>Version: PGP 7.1.2
>Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A