In-Reply-To: <3DC19BF6.7734.81AE5A5@localhost> I tested this vulnerability on a Linksys Wireless Access Point Router with 4-Port Switch - BEFW11S4 Version 2 with firmware 1.42.7 and the vulnerability is there too. It hangs the router for about 5 seconds, after that it turns to normal functioning. Then I upgraded to last firmware 1.43 and the vulnerability is there as well. Alex S. Harasic aharasic@nolink.cl >Received: (qmail 30406 invoked from network); 1 Nov 2002 14:58:52 -0000 >Received: from outgoing3.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.27) > by mail.securityfocus.com with SMTP; 1 Nov 2002 14:58:52 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 088AFA30A3; Fri, 1 Nov 2002 07:48:56 -0700 (MST) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 20635 invoked from network); 1 Nov 2002 01:43:05 -0000 >From: "David Endler" <dendler@idefense.com> >To: bugtraq@securityfocus.com >Date: Thu, 31 Oct 2002 21:09:10 -0500 >Subject: iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router >Reply-To: dendler@idefense.com >Message-ID: <3DC19BF6.7734.81AE5A5@localhost> > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >iDEFENSE Security Advisory 10.31.02a: >http://www.idefense.com/advisory/10.31.02a.txt >Denial of Service Vulnerability in Linksys BEFSR41 EtherFast >Cable/DSL Router >October 31, 2002 > >I. BACKGROUND > >Linksys Group Inc.?s EtherFast Cable/DSL Router with 4-Port Switch >?is the perfect option to connect multiple PCs to a high-speed >Broadband Internet connection or to an Ethernet back-bone. Allowing >up to 253 users, the built-in NAT technology acts as a firewall >protecting your internal network." More information about it is >available at >http://www.linksys.com/products/product.asp?prid=20&grid=23. > >II. DESCRIPTION > >The BEFSR41 crashes if a remote and/or local attacker accesses the >script Gozila.cgi using the router?s IP address with no arguments. >Remote exploitation requires that the router's remote management be >enabled. A sample exploit looks as follows: > >http://192.168.1.1/Gozila.cgi? > >III. ANALYSIS > >Exploitation may be particularly dangerous, especially if the >router?s remote management capability is enabled. An attacker can >trivially crash the router by directing the URL above to its external >interface. In general, little reason exists to allow the web >management feature to be accessible on the external interface of the >router. It is feasible that this type of vulnerability exists in >older firmware versions in other Linksys hardware. > >IV. DETECTION > >This vulnerability affects the BEFSR41 EtherFast Cable/DSL router >with firmware earlier than version 1.42.7. > >V. RECOVERY > >Pressing the reset button on the back of the router should restore >normal functionality. > >VI. WORKAROUND > >Ensure the remote web management feature is disabled, if unnecessary. > >VII. VENDOR FIX > >Firmware version 1.42.7 and later fix this problem. Version 1.43, >which is the latest available version, can be found at >http://www.linksys.com/download/firmware.asp?fwid=1. > >VIII. CVE INFORMATION > >The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project >has assigned the identification number CAN-2002-1236 to this issue. > >IX. DISCLOSURE TIMELINE > >08/27/2002 Issue disclosed to iDEFENSE >09/12/2002 Linksys notified >09/12/2002 iDEFENSE clients notified >09/13/2002 Response received from > maryann.gamboa@Linksys.com >09/19/2002 Status request from iDEFENSE >09/20/2002 Asked to delay advisory until > second level support can respond >10/20/2002 No response from second level support, > another status request to maryann.gamboa@Linksys.com >10/31/2002 Still no response from Linksys, public disclosure > >X. CREDIT > >Jeep 94 (lowjeep94@hotmail.com) is credited with discovering this >vulnerability. > > > >Get paid for security research >http://www.idefense.com/contributor.html > >Subscribe to iDEFENSE Advisories: >send email to listserv@idefense.com, subject line: "subscribe" > > >About iDEFENSE: > >iDEFENSE is a global security intelligence company that proactively >monitors sources throughout the world ? from technical >vulnerabilities and hacker profiling to the global spread of viruses >and other malicious code. Our security intelligence services provide >decision-makers, frontline security professionals and network >administrators with timely access to actionable intelligence >and decision support on cyber-related threats. For more information, >visit http://www.idefense.com. > > >- -dave > >David Endler, CISSP >Director, Technical Intelligence >iDEFENSE, Inc. >14151 Newbrook Drive >Suite 100 >Chantilly, VA 20151 >voice: 703-344-2632 >fax: 703-961-1071 > >dendler@idefense.com >www.idefense.com > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.1.2 >Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A > >iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7 >EE5vWSvk+ZFP7jIvXEPBGjGe >=oTCt >-----END PGP SIGNATURE----- >
