[NEWS] Linksys EtherFast Router Denial of Service Attack

From: SecuriTeam (support_at_securiteam.com)
Date: 10/19/03

  • Next message: SecuriTeam: "[NEWS] PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)" 
    To: list@securiteam.com
Date: 19 Oct 2003 16:57:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Linksys EtherFast Router Denial of Service Attack
    ------------------------------------------------------------------------

    SUMMARY

    The <The Linksys Instant Broadband EtherFast Cable/DSL Firewall Router
    with 4-Port Switch/VPN Endpoint is the perfect solution for connecting a
    small group of PCs to a high-speed broadband Internet connection or a
    10/100 Ethernet backbone.> Linksys Instant Broadband EtherFast Cable/DSL
    Firewall Router with 4-Port Switch/VPN Endpoint is "the perfect solution
    for connecting a small group of PCs to a high-speed broadband Internet
    connection or a 10/100 Ethernet backbone". A vulnerability in the product
    allows remote attackers to cause the server to no longer respond to
    legitimate requests by sending it an especially malformed request.

    DETAILS

    The Linksys BEFSX41 has web-based administration utility at a predictable
    default address (http://192.168.1.1). The administration is done through a
    series of HTML forms using the "GET" method. The router also has an out of
    the box password of "admin".

    Under the default configuration, the router is only accessible from the
    local LAN and not the Internet. However, an attacker could set up a web
    page or send HTML email to someone inside of the LAN to indirectly send
    commands to the router.

    An attacker could specify a URL that results in denial of service. The
    denial of service occurs when long string is sent to the System Log
    Viewer's "Log_Page_Num" parameter. The router will be unresponsive after
    the URL is visited when logging is enabled.

    Exploit:
    If an attacker can get the admin of the router to view a URL like
    http://192.168.1.1/Group.cgi?Log_Page_Num=1111111111&LogClear=0, the
    router will become inoperable. The link could be set as the source of an
    image HTML tag.

    Resolution:
    Linksys released an updated firmware to address this issue. This firmware
    update is made available by Linksys from
    <http://www.linksys.com/download/firmware.asp?fwid=172>
    http://www.linksys.com/download/firmware.asp?fwid=172.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:krazysnake@digitalpranksters.com> KrazySnake.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] PeopleSoft LONGCHAR and VARCHAR Data Upload (DoS)"

    Relevant Pages