Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
7a69Adv#13 - USRobotics AP Wireless Denial of Service

From: Albert Puigsech Galicia (ripe7a69ezine.org)
Date: Mon Aug 02 2004 - 00:09:44 CDT

Hash: SHA1

- ------------------------------------------------------------------
  7a69ezine Advisories                           7a69Adv#13
- ------------------------------------------------------------------
  http://www.7a69ezine.org [02/08/2004]
- ------------------------------------------------------------------

Title: USRobotics AP Wireless Denial of Service

Author: Albert Puigsech Galicia - <ripe7a69ezine.org>

Software: Embedded HTTP server

Versions: 1.21h

Remote: yes

Exploit: yes

Severity: High

- ------------------------------------------------------------------

I. Introduction

        USRobotics is an important company that build lot of network devices, like
modems, wireless cards or wireless access points. It builds also Robots (as
you can see on "I, Robot" film). To get more information about this company
you can visit the official website at http://www.usrobotics.com.

II. Description
        The USR808054 wireless access point may be administered using HTTP protocol,
so the firmwire includes a little HTTP server. The last version of this
server has a critical buffer overflow that allow malicious users on the
network to produce a denial of service or the execution of arbitrary code.

III. Exploit

        A buffer overflow appears on HTTP version string in GET request. You can do
the request without administrator password, so all users on the network
allowed to connect to http port (all by default) can exploit this issue.

        This is a exploit code using perl:

        bash ~ $ perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap 80

        It crashes down the access point and disconnect all wireless users to the
network. May be also posible (with knowledge about the architecture used by
USRobotics) to exploit the vulnerability to execute arbitrary code and get
total control to the device.

IV. Patch

        Not yet.

V. Timeline

19/07/2004 - Notified to spain_modemsupportusr.com
                 - No reply

VI. Extra data

        I have only tested this vulnerability on my USR808054, but other USR products
may be also affected.

- --
- -----------------------------------------------------------------------
Albert Puigsech Galicia

- -----------------------------------------------------------------------
Este e-mail  puede contener  información confidencial y/o privilegiada.
Si el presente mensaje no  va dirigido a  su persona  (o lo ha recibido
por error) por favor,  notifíquelo inmediatamente  al emisor y destruya
este e-mail. Cualquier divulgación,  copia o distribución no autorizada
del material contenido en este e-mail queda prohibida.
Version: GnuPG v1.2.4 (GNU/Linux)