[NEWS] Linksys EtherFast Router Denial of Service Attack
From: SecuriTeam (support_at_securiteam.com)
Date: 10/19/03
- Previous message: SecuriTeam: "[NT] ListBox and ComboBox Control Buffer Overflow (Technical Details)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Oct 2003 16:57:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Linksys EtherFast Router Denial of Service Attack
------------------------------------------------------------------------
SUMMARY
The <The Linksys Instant Broadband EtherFast Cable/DSL Firewall Router
with 4-Port Switch/VPN Endpoint is the perfect solution for connecting a
small group of PCs to a high-speed broadband Internet connection or a
10/100 Ethernet backbone.> Linksys Instant Broadband EtherFast Cable/DSL
Firewall Router with 4-Port Switch/VPN Endpoint is "the perfect solution
for connecting a small group of PCs to a high-speed broadband Internet
connection or a 10/100 Ethernet backbone". A vulnerability in the product
allows remote attackers to cause the server to no longer respond to
legitimate requests by sending it an especially malformed request.
DETAILS
The Linksys BEFSX41 has web-based administration utility at a predictable
default address (http://192.168.1.1). The administration is done through a
series of HTML forms using the "GET" method. The router also has an out of
the box password of "admin".
Under the default configuration, the router is only accessible from the
local LAN and not the Internet. However, an attacker could set up a web
page or send HTML email to someone inside of the LAN to indirectly send
commands to the router.
An attacker could specify a URL that results in denial of service. The
denial of service occurs when long string is sent to the System Log
Viewer's "Log_Page_Num" parameter. The router will be unresponsive after
the URL is visited when logging is enabled.
Exploit:
If an attacker can get the admin of the router to view a URL like
http://192.168.1.1/Group.cgi?Log_Page_Num=1111111111&LogClear=0, the
router will become inoperable. The link could be set as the source of an
image HTML tag.
Resolution:
Linksys released an updated firmware to address this issue. This firmware
update is made available by Linksys from
<http://www.linksys.com/download/firmware.asp?fwid=172>
http://www.linksys.com/download/firmware.asp?fwid=172.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:krazysnake@digitalpranksters.com> KrazySnake.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] ListBox and ComboBox Control Buffer Overflow (Technical Details)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
