-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Issue: ----------------------------------------------------------------| LG Electronics LR3001f is a WAN router. It comes with no access lists defined, which enables administrator to connect both to port 23/tcp (telnet) and 80/tcp (www server). However, IP stack of LR3001f has several bugs, that can be exploited via network. Description: ----------------------------------------------------------| When configured without access lists protecting ports 23 or/and 80, the LR3001f is vulnerable to at least two bugs, resulting from memory allocation function buffer overflows. First is exploitable without any access to user account at the router. Only thing needed is access to port 23/tcp or 80/tcp. If the router is attacked with data stream (can be any characters, both randomized and text-only input was used during testing) targeted at one of the mentioned ports it will reboot, with one of the following messages: Router# [BUFFER] Unknown free 0xffffffff Router# can't malloc or Router# [BUFFER] ERROR free not in use Router# can't malloc Second bug is directly in the telnet service, when checking passwords. The same technique with random data stream is used, however few ENTER characters should be sent at first, to overcome router primary prompt waiting for that key to be pressed. In this case, router reboots with no message. Vulnerable versions: --------------------------------------------------| All software versions up to and including 4.0 are vulnerable to all those types of attack. 4.57 version downloadable from vendor website is vulnerable to second type of attack, however is not vulnerable to first type of attack. The vendor representative was informed about the vulnerabilities on 2002-04-18. LG did not respond in any way and have not released any fixed or new software version. Info on this advisory: ------------------------------------------------| This advisory can be accessed on-line at my personal site: http://mr0vka.eu.org/docs/advisories/lg-3001f-2002-04-18.txt My personal PGP key fingerprint is: 5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49 My personal PGP key is located at: http://mr0vka.eu.org/pgp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Y1PDYqhjwgk7bEkRAphSAKDSip0f/1KhFKueNzGsyl5DcGaLSQCdF7LB 7+JjSjDOvMRTUt8uvtW9A80= =AJQc -----END PGP SIGNATURE----- -- Łukasz Bromirski lbromirski[at]mr0vka.eu.org PGP key http://mr0vka.eu.org/pgp.asc http://mr0vka.eu.org PGP finger 5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49
