[ISN] Linksys routers may be open to remote sniffing

InfoSec News isn at c4i.org
Wed Jun 2 04:44:28 EDT 2004


http://www.theinquirer.net/?article=16298

By Fernando Cassia
02 June 2004

FOLKS AT security portal SecuriTeam published on May 17 an exploit
that could allow hackers and other nasty people to remotely sniff
traffic passing through the router, and also crash the device.  The
article says it all comes down to a "memory leak", causing a flaw in
the way the Linksys routers' DHCP server returns BOOTP protocol
packets. This exploit is currently listed at position #3 in the
SecuriTeam.com front page, so expect lots of script kiddies to be
playing with it as we write (and you read) this.

The site says: "Instead of returning legitimate BOOTP responses, (the
linksys units) return BOOTP responses with the BOOTP fields filled in
with portions of memory. This allows you to do cool things like the
equivalent of sniffing all the traffic to/from the device". It
continues: "I have successfully used this technique to steal the admin
username and password from an innocent third party who recently
configured the device, and I watched someone's traffic as they browsed
ebay for a new Ti-Book".

The exploit code indicates the vulnerability has been tested "on a
fully updated Linksys BEFSR41 and BEFW11S4" but the author of this
exploit, who signs his code under the name Jon Hart, hints that all
other Linksys routers which have a dhcp server could be vulnerable
"Currently, this looks to include at least the BEFN2PS4, BEFSR41,
BEFSR81, BEFSX41, RV082, BEFCMU10, BEFSR11, BEFSR41W, BEFSRU31,
BEFVP41, WRT55AG, WRV54G, WRT51AB", he writes.

As the owner and active user of one Linksys BEFSR-41 since mid-2000,
which is my first line of defense between my home LAN and the
Interweb, I first checked my unit's current firmware level (1.45.7
dated June 2003) and then rushed to the Linksys site, expecting to see
an updated firmware, given the publication of this exploit over two
weeks ago. I was shocked when I found that Linksys hasn't even touched
the BEFSRxx firmware in about a year.

At the time of writing this, the last firmware on the Linksys web page
for the very popular BEFSR41 routers is 1.45.7, dated June 2003. I
remember that Linksys used to update its firmware on a monthly basis,
sometimes faster, back in the days it was a small company trying to
beat the big guys.





More information about the ISN mailing list