From dendler@idefense.com Sat Nov 2 01:50:52 2002 From: David Endler To: full-disclosure@lists.netsys.com Date: Thu, 31 Oct 2002 21:09:10 -0500 Subject: [Full-Disclosure] iDEFENSE Security Advisory 10.31.02a: Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 10.31.02a: http://www.idefense.com/advisory/10.31.02a.txt Denial of Service Vulnerability in Linksys BEFSR41 EtherFast Cable/DSL Router October 31, 2002 I. BACKGROUND Linksys Group Inc.^Òs EtherFast Cable/DSL Router with 4-Port Switch ^Óis the perfect option to connect multiple PCs to a high-speed Broadband Internet connection or to an Ethernet back-bone. Allowing up to 253 users, the built-in NAT technology acts as a firewall protecting your internal network." More information about it is available at http://www.linksys.com/products/product.asp?prid=20&grid=23. II. DESCRIPTION The BEFSR41 crashes if a remote and/or local attacker accesses the script Gozila.cgi using the router^Òs IP address with no arguments. Remote exploitation requires that the router's remote management be enabled. A sample exploit looks as follows: http://192.168.1.1/Gozila.cgi? III. ANALYSIS Exploitation may be particularly dangerous, especially if the router^Òs remote management capability is enabled. An attacker can trivially crash the router by directing the URL above to its external interface. In general, little reason exists to allow the web management feature to be accessible on the external interface of the router. It is feasible that this type of vulnerability exists in older firmware versions in other Linksys hardware. IV. DETECTION This vulnerability affects the BEFSR41 EtherFast Cable/DSL router with firmware earlier than version 1.42.7. V. RECOVERY Pressing the reset button on the back of the router should restore normal functionality. VI. WORKAROUND Ensure the remote web management feature is disabled, if unnecessary. VII. VENDOR FIX Firmware version 1.42.7 and later fix this problem. Version 1.43, which is the latest available version, can be found at http://www.linksys.com/download/firmware.asp?fwid=1. VIII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1236 to this issue. IX. DISCLOSURE TIMELINE 08/27/2002 Issue disclosed to iDEFENSE 09/12/2002 Linksys notified 09/12/2002 iDEFENSE clients notified 09/13/2002 Response received from maryann.gamboa@Linksys.com 09/19/2002 Status request from iDEFENSE 09/20/2002 Asked to delay advisory until second level support can respond 10/20/2002 No response from second level support, another status request to maryann.gamboa@Linksys.com 10/31/2002 Still no response from Linksys, public disclosure X. CREDIT Jeep 94 (lowjeep94@hotmail.com) is credited with discovering this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world ^× from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com. - -dave David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7 EE5vWSvk+ZFP7jIvXEPBGjGe =oTCt -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html