SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (Router/Bridge/Hub)  >   Linksys Router Vendors:   Linksys
(Vendor Issues Fix) Linksys Routers May Disclose Kernel Memory Contents in Response to BOOTP Packets
SecurityTracker Alert ID:  1010421
SecurityTracker URL:  http://securitytracker.com/id/1010421
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 8 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in some Linksys routers in the processing of BOOTP packets. A remote user can view portions of kernel memory on the target system.

Jon Hart reported that Linksys routers, including the BEFSR41 and BEFW11S4 and possibly others, contain a flaw in the DHCP server. A remote user can send a BOOTP pakcet to cause the device to return a BOOTP response with kernel memory contents in the BOOTP fields.

A remote user can reportedly monitor traffic recently processed by the device via this exploit method, including administrative passwords for the device (when an administrator configures the system).

In some cases, the device may stop processing traffic after a receiving number of BOOTP requests.

A demonstration exploit is provided in the Source Message.
Impact:   A remote user can view portions of kernel memory.
Solution:   The vendor has issued a fix for Revision 3, described at:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNo

A fix for Revision 1 and 2 is planned.
Vendor URL:  linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNo (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
May 25 2004 Linksys Routers May Disclose Kernel Memory Contents in Response to BOOTP Packets


 Source Message Contents
Date:  7 Jun 2004 10:43:03 -0000
Subject:  Linksys BEFSR41 DHCP vulnerability server leaks network data




On May 2nd 2004 I sent an email (detailed below) to Linksys concerning this vulnerability.  Linksys has posted the vulnerability and
 a fix for the Revision 3 router since then here:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNoPSZwX3NvcnRfYnk9JnBfZ3JpZHNvcnQ9JnBfcm93X2NudD02NTQmcF9wYWdlPTE*&p_li=

Upgrades for Revs 1 & 2 are promised soon.

More details are included in the email:
************************
Linksys,

I believe I have found a vulnerability in your BEFSR41 router.  

The vulnerability involves a buffer leakage in the DHCP service. As a result, data that has recently passed through the router can
 be compromised by an attacker on the LAN.

This vulnerability was tested with firmware version 1.45.7

Conditions required to exploit the vulnerability:
1) An attacking host on the LAN side of the router that can broadcast DHCP-INFORM packets to the LAN.  
2) A sniffer on the attacking host to record the router's response packets.
3) Data has recently passed between the LAN and WAN sides of the router.
4) DHCP is enabled on the router.

Details
I used a Windows 2000 DHCP server to create the DHCP-INFORM packets.  The server broadcasts the DHCP-INFORM message once an hour,
 or when the service is restarted.  These packets must be broadcast to the LAN side of the router.

If DHCP is enabled on the Router, it will respond to each broadcast with a packet containing leaked buffer data.  The response is
 sent directly to the IP address of the attacking host.  Approximately 488 bytes of the 590 byte response comes from the router's
 buffer, providing easily recognizable fragments of recently viewed web pages, etc.

Effects of the vulnerability:
Data that has passed through the router recently can be compromised by an attacker with access to the LAN.  This can include email
 sent or received, web pages viewed, and passwords (cleartext or weakly encrypted) that have been used by a LAN client to access a
 WAN resource or vice versa.

Interesting notes about the vulnerability that make it more difficult to detect an attacker.
- The attack does not rely on traditional methods to overcome switched networks. 

- The attacking host does not need to place its NIC in promiscuous mode.  

- It is also possible to craft DHCP-INFORM packets that are not broadcast, but directed at the router's address.

- This vulnerability also makes it possible to view data that was passed through the router at some time in the past, making it unnecessary
 to capture the traffic when it actually occurs.  This makes the physical aspect of security more difficult.  The victim and the attacker
 do not have to be on the LAN at the same time.

Here is an example of that last point:
1) A LAN user is visiting a website that requires HTTP-BASIC authentication, logs in, reads a few pages, and then closes the web browser.

2) At some point in the future, the attacker begins making DHCP-INFORM broadcasts from the LAN and collecting the buffer leakage that
 results.

3) Among the leaked data is the base64 encoded authorization that was used to access the HTTP-BASIC authenticated website.  The user's
 password has now been compromised.

Mitigating Factors

- The attacker must be on the LAN. 

- Only data which is still in the buffer can be compromised.  This limits the vulnerable data to the last few most recently visited
 web pages or a similar amount of data.

- Passing "unimportant" data through the router will flush the buffer and prevent the compromise of more important data.

- Cycling power to the router will clear the buffer.

- The DHCP service can be disabled on the router, removing the vulnerability entirely.

Moving Forward

It is my intention to post this vulnerability on Bugtraq in 1 month.  However, I want to give Linksys every opportunity to prepare
 a fix for this vulnerability before it is made public.  If more than 1 month will be required to resolve this issue, please let me
 know and I will work with you. 

I hope I have not left out any important details.  Please do not hesitate to contact me if you have any questions, and I wish you
 the best of luck in finding a solution.  Capture files of the vulnerability being exploited are available to you if you need them.

Sincerely,

Lance Armstrong
********************

The response I received from Linksys on 5/3/2004 led me to believe that I was the first to bring this to their attention, but the
 Linksys posting did not credit anyone specifically with finding the vulnerability.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC