[NEWS] LG Electronics LG3001f Router Buffer Overflow
From: support@securiteam.comDate: 08/21/02
- Previous message: support@securiteam.com: "[UNIX] Ethereal ISIS Protocol Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 21 Aug 2002 18:17:31 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
LG Electronics LG3001f Router Buffer Overflow
------------------------------------------------------------------------
SUMMARY
LG Electronics LR3001f is a WAN router. It comes with no access lists
defined, which enables administrator to connect both to port 23/tcp
(telnet) and 80/tcp (www server). However, IP stack of LR3001f has several
bugs that can be exploited via network.
DETAILS
Vulnerable systems:
All software versions up to and including 4.0 are vulnerable to all those
types of attack.
4.57 version downloadable from vendor website is vulnerable to second type
of attack, however is not vulnerable to first type of attack.
The vendor representative was informed about the vulnerabilities on
2002-04-18. LG did not respond in any way and have not released any fixed
or new software version.
Technical details:
When configured without access lists protecting ports 23 or/and 80, the
LR3001f is vulnerable to at least two bugs, resulting from memory
allocation function buffer overflows.
First is exploitable without any access to user account at the router.
Only thing needed is access to port 23/tcp or 80/tcp. If the router is
attacked with data stream (can be any characters, both randomized, and
text-only input was used during testing) targeted at one of the mentioned
ports it will reboot, with one of the following messages:
Router# [BUFFER] Unknown free 0xffffffff
Router# can't malloc
Or
Router# [BUFFER] ERROR free not in use
Router# can't malloc
Second bug is directly in the telnet service, when checking passwords. The
same technique with random data stream is used, however few ENTER
characters should be sent at first, to overcome router primary prompt
waiting for that key to be pressed. In this case, router reboots with no
message.
ADDITIONAL INFORMATION
The information has been provided by <mailto:LBromirski@techdata.pl>
Bromirski, Lukasz.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Ethereal ISIS Protocol Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NEWS] LG Electronics LG3100p Router Multiple Security Issues (DoS)
... Release 1.50 is vulnerable only to first and third bug. ... When configured
without access lists protecting port 23, ... First is exploitable without any access to
user account on the router. ... The vendor representative was informed about the vulnerabilities
on ... (Securiteam) - Re: Linux vs LinkSys 4 port Cable router
... reconfigure these routers using SNMP is questionable because Linksys has not ...
Once again these are not particularly bad vulnerabilities but if you did ... just trusting
a router has its benefits. ... and maybe at the session level depending on how Linksys
implemented ... (comp.security.firewalls) - router worms and International Infrastructure [was: Re: IOS exploit]
... > follows an EIGRP vector from router to router. ... I wrote this after the
release of "the three vulnerabilities", ... dangerous on their own, and consider what a
worm, ... Packet Killers" as I like to call them to the world. ... (Bugtraq) - Re: [Full-disclosure] Ho Ho H0-Day - ZyXEL P-330W multiple XSS and XSRF vulnerabilit
... because the router uses GoAhead 2.1.1 for its embedded web ... it is
susceptible to all those vulnerabilities including ... There are a plethora of XSS vulns
in the web-based management ... (Full-Disclosure) - LG Electronics LG3001f router
... LG Electronics LR3001f is a WAN router. ... LR3001f has several bugs,
that can be exploited via network. ... type of attack, however is not vulnerable to first
type of attack. ... The vendor representative was informed about the vulnerabilities on
... (Bugtraq)
