OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Thu Oct 31 2002 - 20:09:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 10.31.02a:
    http://www.idefense.com/advisory/10.31.02a.txt
    Denial of Service Vulnerability in Linksys BEFSR41 EtherFast
    Cable/DSL Router
    October 31, 2002

    I. BACKGROUND

    Linksys Group Inc.ís EtherFast Cable/DSL Router with 4-Port Switch
    ďis the perfect option to connect multiple PCs to a high-speed
    Broadband Internet connection or to an Ethernet back-bone. Allowing
    up to 253 users, the built-in NAT technology acts as a firewall
    protecting your internal network." More information about it is
    available at
    http://www.linksys.com/products/product.asp?prid=20&grid=23.

    II. DESCRIPTION

    The BEFSR41 crashes if a remote and/or local attacker accesses the
    script Gozila.cgi using the routerís IP address with no arguments.
    Remote exploitation requires that the router's remote management be
    enabled. A sample exploit looks as follows:

    http://192.168.1.1/Gozila.cgi?

    III. ANALYSIS

    Exploitation may be particularly dangerous, especially if the
    routerís remote management capability is enabled. An attacker can
    trivially crash the router by directing the URL above to its external
    interface. In general, little reason exists to allow the web
    management feature to be accessible on the external interface of the
    router. It is feasible that this type of vulnerability exists in
    older firmware versions in other Linksys hardware.

    IV. DETECTION

    This vulnerability affects the BEFSR41 EtherFast Cable/DSL router
    with firmware earlier than version 1.42.7.

    V. RECOVERY

    Pressing the reset button on the back of the router should restore
    normal functionality.

    VI. WORKAROUND

    Ensure the remote web management feature is disabled, if unnecessary.

    VII. VENDOR FIX

    Firmware version 1.42.7 and later fix this problem. Version 1.43,
    which is the latest available version, can be found at
    http://www.linksys.com/download/firmware.asp?fwid=1.

    VIII. CVE INFORMATION

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2002-1236 to this issue.

    IX. DISCLOSURE TIMELINE

    08/27/2002 Issue disclosed to iDEFENSE
    09/12/2002 Linksys notified
    09/12/2002 iDEFENSE clients notified
    09/13/2002 Response received from
                    maryann.gamboaLinksys.com
    09/19/2002 Status request from iDEFENSE
    09/20/2002 Asked to delay advisory until
                    second level support can respond
    10/20/2002 No response from second level support,
                    another status request to maryann.gamboaLinksys.com
    10/31/2002 Still no response from Linksys, public disclosure

    X. CREDIT

    Jeep 94 (lowjeep94hotmail.com) is credited with discovering this
    vulnerability.

    Get paid for security research
    http://www.idefense.com/contributor.html

    Subscribe to iDEFENSE Advisories:
    send email to listservidefense.com, subject line: "subscribe"

    About iDEFENSE:

    iDEFENSE is a global security intelligence company that proactively
    monitors sources throughout the world ó from technical
    vulnerabilities and hacker profiling to the global spread of viruses
    and other malicious code. Our security intelligence services provide
    decision-makers, frontline security professionals and network
    administrators with timely access to actionable intelligence
    and decision support on cyber-related threats. For more information,
    visit http://www.idefense.com.

    - -dave

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7
    EE5vWSvk+ZFP7jIvXEPBGjGe
    =oTCt
    -----END PGP SIGNATURE-----