LinkSys EtherFast Router Denial of Service Attack

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: LinkSys EtherFast Router Denial of Service Attack
From: DigitalPranksters <secteam@xxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Oct 2003 03:24:26 -0500 (CDT)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

DigitalPranksters Security Advisory
http://www.DigitalPranksters.com

LinkSys EtherFast Router Denial of Service Attack

Risk: Low

Product: Linksys EtherFast Cable/DSL Firewall Router BEFSX41 (Firmware 
1.44.3)

Product URL: http://www.linksys.com/products/product.asp?prid=433

Vendor Contacted: September 9, 2003

Vendor Released Patch: September 26, 2003

DigitalPranksters Public Advisory Released: October 7, 2003

Found By: KrazySnake - krazysnake@xxxxxxxxxxxxxxxxxxxxx

Problem:
The Linksys BEFSX41 has web-based administration utility at a predictable 
default address (http://192.168.1.1). The administration is done through a 
series of html forms using the "get" method. The router also has an out of 
the box password of "admin".

Under the default configuration the router is only accessible from the 
local lan and not the internet. However, an attacker could set up a web 
page or send html email to someone inside of the lan to indirectly send 
commands to the router.

An attacker could specify a URL that results in denial of service. The 
denial of service occurs when long string is sent to the System Log 
Viewer's "Log_Page_Num" parameter. The router will be unresponsive after 
the URL is visited when logging is enabled.

Proof of Concept:
If an attacker can get the admin of the router to view a URL like 
http://192.168.1.1/Group.cgi?Log_Page_Num=1111111111&LogClear=0, the 
router will become inoperable. The link could be set as the source of an 
image html tag.

Resolution:
Linksys released an updated firmware to address this issue. This firmware 
update is made available by Linksys from 
http://www.linksys.com/download/firmware.asp?fwid=172.

Greetings:
SkippyInside, AngryB, Harmo, HTMLBCat, and Spyder.
Thanks to Linksys for fixing this issue.

Disclaimer:
Standard disclaimer applies. The opinions expressed in this advisory are 
our own and not of any company. The information within this advisory may 
change without notice. Use of this information constitutes acceptance for 
use in an AS IS condition. There are no warranties with regard to this 
information. In no event shall the author be liable for any damages 
whatsoever arising out of or in connection with the use or spread of this 
information. Any use of this information is at the user's own risk.

Prev by Date: Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail
Next by Date: [CLA-2003:762] Conectiva Security Announcement - glibc
Previous by thread: Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail
Next by thread: [CLA-2003:762] Conectiva Security Announcement - glibc
Index(es):
- Date
- Thread