Re: iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router

[Alex Harasic <aharasic () terra cl>]

In-Reply-To: <3DC19BF6.7734.81AE5A5@localhost>

I tested this vulnerability on a Linksys Wireless Access Point Router 
with 4-Port Switch - BEFW11S4 Version 2 with firmware 1.42.7 and the 
vulnerability is there too. It hangs the router for about 5 seconds, 
after that it turns to normal functioning. Then I upgraded to last 
firmware 1.43 and the vulnerability is there as well.


Alex S. Harasic
aharasic () nolink cl




> Received: (qmail 30406 invoked from network); 1 Nov 2002 14:58:52 -0000
> Received: from outgoing3.securityfocus.com (HELO 
outgoing.securityfocus.com) (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 1 Nov 2002 14:58:52 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing.securityfocus.com (Postfix) with QMQP
>       id 088AFA30A3; Fri,  1 Nov 2002 07:48:56 -0700 (MST)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 20635 invoked from network); 1 Nov 2002 01:43:05 -0000
> From: "David Endler" <dendler () idefense com>
> To: bugtraq () securityfocus com
> Date: Thu, 31 Oct 2002 21:09:10 -0500
> Subject: iDEFENSE Security Advisory 10.31.02a: Denial of Service 
Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router
> Reply-To: dendler () idefense com
> Message-ID: <3DC19BF6.7734.81AE5A5@localhost>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDEFENSE Security Advisory 10.31.02a:
> http://www.idefense.com/advisory/10.31.02a.txt
> Denial of Service Vulnerability in Linksys BEFSR41 EtherFast
> Cable/DSL Router
> October 31, 2002
>
> I. BACKGROUND
>
> Linksys Group Inc.?s EtherFast Cable/DSL Router with 4-Port Switch
> ?is the perfect option to connect multiple PCs to a high-speed
> Broadband Internet connection or to an Ethernet back-bone. Allowing
> up to 253 users, the built-in NAT technology acts as a firewall
> protecting your internal network." More information about it is
> available at
> http://www.linksys.com/products/product.asp?prid=20&grid=23.
>
> II. DESCRIPTION
>
> The BEFSR41 crashes if a remote and/or local attacker accesses the
> script Gozila.cgi using the router?s IP address with no arguments.
> Remote exploitation requires that the router's remote management be
> enabled. A sample exploit looks as follows:
>
> http://192.168.1.1/Gozila.cgi?
>
> III. ANALYSIS
>
> Exploitation may be particularly dangerous, especially if the
> router?s remote management capability is enabled. An attacker can
> trivially crash the router by directing the URL above to its external
> interface. In general, little reason exists to allow the web
> management feature to be accessible on the external interface of the
> router. It is feasible that this type of vulnerability exists in
> older firmware versions in other Linksys hardware.
>
> IV. DETECTION
>
> This vulnerability affects the BEFSR41 EtherFast Cable/DSL router
> with firmware earlier than version 1.42.7.
>
> V. RECOVERY
>
> Pressing the reset button on the back of the router should restore
> normal functionality.
>
> VI. WORKAROUND
>
> Ensure the remote web management feature is disabled, if unnecessary.
>
> VII. VENDOR FIX
>
> Firmware version 1.42.7 and later fix this problem. Version 1.43,
> which is the latest available version, can be found at
> http://www.linksys.com/download/firmware.asp?fwid=1.
>
> VIII. CVE INFORMATION
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2002-1236 to this issue.
>
> IX. DISCLOSURE TIMELINE
>
> 08/27/2002     Issue disclosed to iDEFENSE
> 09/12/2002     Linksys notified
> 09/12/2002     iDEFENSE clients notified
> 09/13/2002     Response received from 
>               maryann.gamboa () Linksys com
> 09/19/2002     Status request from iDEFENSE
> 09/20/2002     Asked to delay advisory until 
>               second level support can respond
> 10/20/2002     No response from second level support, 
>               another status request to maryann.gamboa () Linksys com
> 10/31/2002     Still no response from Linksys, public disclosure
>
> X. CREDIT
>
> Jeep 94 (lowjeep94 () hotmail com) is credited with discovering this
> vulnerability.
>
>
>
> Get paid for security research
> http://www.idefense.com/contributor.html
>
> Subscribe to iDEFENSE Advisories:
> send email to listserv () idefense com, subject line: "subscribe"
>
>
> About iDEFENSE:
>
> iDEFENSE is a global security intelligence company that proactively
> monitors sources throughout the world ? from technical
> vulnerabilities and hacker profiling to the global spread of viruses
> and other malicious code. Our security intelligence services provide 
> decision-makers, frontline security professionals and network 
> administrators with timely access to actionable intelligence
> and decision support on cyber-related threats. For more information,
> visit http://www.idefense.com.
>
>
> - -dave
>
> David Endler, CISSP
> Director, Technical Intelligence
> iDEFENSE, Inc.
> 14151 Newbrook Drive
> Suite 100
> Chantilly, VA 20151
> voice: 703-344-2632
> fax: 703-961-1071
>
> dendler () idefense com
> www.idefense.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 7.1.2
> Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A
>
> iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7
> EE5vWSvk+ZFP7jIvXEPBGjGe
> =oTCt
> -----END PGP SIGNATURE-----