[NEWS] USRobotics USR808054 Wireless Access Point Denial Of Service And Possible Code Execution Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/04/04

  • Next message: SecuriTeam: "[NT] Webbsyte Chat DoS Vulnerability" 
    To: list@securiteam.com
Date: 4 Aug 2004 01:02:01 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      USRobotics USR808054 Wireless Access Point Denial Of Service And Possible
    Code Execution Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    The
    <http://www.usr-emea.com/products/p-networking-product.asp?prod=net-8054&page=overview&loc=emea> USR808054 wireless access point router supports data transfer acceleration equivalent to 100Mbps throughput, compatible with the 802.11b/g standards, has built in WEP and WAP (WiFi protected access) support with MAC authentication and can perform as a router for wired networks in addition to having firewalling rules.

    The USR808054 wireless router device can be administred via a web
    interface which is using the HTTP protocol. Hence, the router has a
    built-in HTTP server. A buffer overflow vulnerability exists which would
    allow an attacker to bring down the device and possibly execute arbitrary
    code on the platform.

    DETAILS

    Vulnerable Systems:
     * USR808054 version 1.21h

    A buffer overflow exhibits itself through the HTTP version string in a GET
    request. You can perform the request without the administrator password,
    so all users on the network which are allowed to connect to HTTP port (all
    by default) can exploit this issue. Example proof of concept:
    bash~$ perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap
    80

    The result is a crash of the access point and the disconnection of all
    users. With proper knowledge of the architecture used to create the device
    it might even be possible to execute arbitrary code on the router itself.

    Disclosure Timeline
    19/07/2004 - Notified <mailto:spain_modemsupport@usr.com>
    spain_modemsupport@usr.com, no reply.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:ripe@7a69ezine.org> Albert
    Puigsech Galicia.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Webbsyte Chat DoS Vulnerability"

    Relevant Pages