[NEWS] Linksys Router Bypass Vulnerability (XML)

From: support@securiteam.com
Date: 11/22/02

  • Next message: support@securiteam.com: "[NEWS] Zeroo Folder Traversal Vulnerability" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 22 Nov 2002 02:05:37 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Linksys Router Bypass Vulnerability (XML)
    ------------------------------------------------------------------------

    SUMMARY

    Linksys products running affected firmware versions are susceptible to a
    bug that allows unauthenticated access to the management interface. This
    bug affects both local and remote management (if enabled).

    DETAILS

    Vulnerable systems:
     * BEFSR41, BEFSR11, BEFSRU31: firmware versions from 1.41 through 1.43
     * BEFW11S4: firmware versions from 1.42.7 through 1.43.

    Impact:
    Users on the protected ("local") network can gain administrative access to
    the Linksys router and may view/alter configuration data. If remote
    management is enabled, users on the unprotected ("wide-area") network may
    gain similar access.

    Note that for the BEFW11S4, the "local" network includes all devices able
    to associate with the access point.

    Technical details:
    It appears that the Linksys HTTP management interface does not handle
    cases where the client sends specific XML-related data during the initial
    content negotiation ("XML related entries in the mailcap file").

    Verification:
    Test setup included the following hardware/software:
     - BEFSR41 firewall/router with firmware version 1.43
     - Lynx browser version 2.8.4rel.1 (17 Jul 2001)
     - ~/.mailcap with the following line:
    application/foo.xml;

    Using lynx with the above mailcap, connect to the management interface
    (remote interface listens on port 8080 when enabled). Affected versions
    will display the setup screen without requiring the user to enter a
    password. (Note: mailcap is generally installed as ~/.mailcap).
    Navigation to other screens is possible, though some "accept" buttons
    might not render if the browser used is unable to process JavaScript.

    Resolution:
    Linksys has released firmware version 1.43.3 that resolves this issue on
    the tested equipment (BEFSR41). It is assumed that the problem is
    resolved with this firmware version on all affected products.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:sbbugtraq1102@yahoo.com>
    Seth Bromberger.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages