Linksys BEFSR41 DHCP vulnerability server leaks network data

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Linksys BEFSR41 DHCP vulnerability server leaks network data
From: Lance Armstrong <mishlai@xxxxxxxxxxx>
Date: 7 Jun 2004 10:43:03 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On May 2nd 2004 I sent an email (detailed below) to Linksys concerning this
vulnerability. Linksys has posted the vulnerability and a fix for the Revision
3 router since then here:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNoPSZwX3NvcnRfYnk9JnBfZ3JpZHNvcnQ9JnBfcm93X2NudD02NTQmcF9wYWdlPTE*&p_li=

Upgrades for Revs 1 & 2 are promised soon.

More details are included in the email:
************************
Linksys,

I believe I have found a vulnerability in your BEFSR41 router.

The vulnerability involves a buffer leakage in the DHCP service. As a result,
data that has recently passed through the router can be compromised by an
attacker on the LAN.

This vulnerability was tested with firmware version 1.45.7

Conditions required to exploit the vulnerability:
1) An attacking host on the LAN side of the router that can broadcast
DHCP-INFORM packets to the LAN.
2) A sniffer on the attacking host to record the router's response packets.
3) Data has recently passed between the LAN and WAN sides of the router.
4) DHCP is enabled on the router.

Details
I used a Windows 2000 DHCP server to create the DHCP-INFORM packets. The
server broadcasts the DHCP-INFORM message once an hour, or when the service is
restarted. These packets must be broadcast to the LAN side of the router.

If DHCP is enabled on the Router, it will respond to each broadcast with a
packet containing leaked buffer data. The response is sent directly to the IP
address of the attacking host. Approximately 488 bytes of the 590 byte
response comes from the router's buffer, providing easily recognizable
fragments of recently viewed web pages, etc.

Effects of the vulnerability:
Data that has passed through the router recently can be compromised by an
attacker with access to the LAN. This can include email sent or received, web
pages viewed, and passwords (cleartext or weakly encrypted) that have been used
by a LAN client to access a WAN resource or vice versa.

Interesting notes about the vulnerability that make it more difficult to detect
an attacker.
- The attack does not rely on traditional methods to overcome switched
networks.

- The attacking host does not need to place its NIC in promiscuous mode.

- It is also possible to craft DHCP-INFORM packets that are not broadcast, but
directed at the router's address.

- This vulnerability also makes it possible to view data that was passed
through the router at some time in the past, making it unnecessary to capture
the traffic when it actually occurs. This makes the physical aspect of
security more difficult. The victim and the attacker do not have to be on the
LAN at the same time.

Here is an example of that last point:
1) A LAN user is visiting a website that requires HTTP-BASIC authentication,
logs in, reads a few pages, and then closes the web browser.

2) At some point in the future, the attacker begins making DHCP-INFORM
broadcasts from the LAN and collecting the buffer leakage that results.

3) Among the leaked data is the base64 encoded authorization that was used to
access the HTTP-BASIC authenticated website. The user's password has now been
compromised.

Mitigating Factors

- The attacker must be on the LAN.

- Only data which is still in the buffer can be compromised. This limits the
vulnerable data to the last few most recently visited web pages or a similar
amount of data.

- Passing "unimportant" data through the router will flush the buffer and
prevent the compromise of more important data.

- Cycling power to the router will clear the buffer.

- The DHCP service can be disabled on the router, removing the vulnerability
entirely.

Moving Forward

It is my intention to post this vulnerability on Bugtraq in 1 month. However,
I want to give Linksys every opportunity to prepare a fix for this
vulnerability before it is made public. If more than 1 month will be required
to resolve this issue, please let me know and I will work with you.

I hope I have not left out any important details. Please do not hesitate to
contact me if you have any questions, and I wish you the best of luck in
finding a solution. Capture files of the vulnerability being exploited are
available to you if you need them.

Sincerely,

Lance Armstrong
********************

The response I received from Linksys on 5/3/2004 led me to believe that I was
the first to bring this to their attention, but the Linksys posting did not
credit anyone specifically with finding the vulnerability.

Prev by Date: Linksys WRT54G - Advice for european users
Next by Date: Re: Bank of America security e-mail address
Previous by thread: RE: Linksys WRT54G - Advice for european users
Next by thread: cPanel mod_php suEXEC Taint Vulnerability
Index(es):
- Date
- Thread