-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Issue: ----------------------------------------------------------------| LG Electronics LR3100p is a small WAN router, with two WAN interfaces and one Ethernet. It comes with no access lists defined, which enables administrator to connect to port 23/tcp (telnet). However, IP stack of LR3100p has several bugs, that can be exploited via network. Description: ----------------------------------------------------------| When configured without access lists protecting port 23, the LR3100p is vulnerable to at least three (3) bugs, resulting from memory allocation function buffer overflows. (1) First is exploitable without any access to user account at the router. Only thing needed is access to port 23/tcp. If the router is attacked with data stream (can be any characters, both randomized and text-only input was used during testing) coming to that port it will reboot, usually with no message. (2) Second bug is applicable only to software revisions up to and including 1.30. Few packets generated via simple scanning (for example nmap with `-O' option) can result in reboot of the router with following message: Exception 1400 at IP 12afc4 (3) Third bug is directly in the telnet service, when checking passwords. The same technique with random data stream is used, however few ENTER characters should be sent at first, to overcome router primary prompt waiting for that key to be pressed. The stream length was measured to be about 40kB. Also in this case, router reboots with no message. Vulnerable versions: --------------------------------------------------| Versions up to and including 1.30 are vulnerable to all bugs mentioned. Release 1.50 is vulnerable only to first and third bug. The vendor representative was informed about the vulnerabilities on 2002-04-18, and LG has recently released `fixed' release 1.52 which, however, is still vulnerable to first and third bug. This was signalled but with no response. Info on this advisory: ------------------------------------------------| This advisory can be accessed on-line at my personal site: http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.txt My personal PGP key fingerprint is: 5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49 My personal PGP key is located at: http://mr0vka.eu.org/pgp.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Y1PiYqhjwgk7bEkRApWcAJ4kYv9uQcaFsqtoyKyopvMXAvMUXQCgyTWH cl5IBM6E9JFpj6WoSggy+uE= =1kQa -----END PGP SIGNATURE----- -- Łukasz Bromirski lbromirski[at]mr0vka.eu.org PGP key http://mr0vka.eu.org/pgp.asc http://mr0vka.eu.org PGP finger 5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49
