[VulnWatch] iDEFENSE Security Advisory 09.13.05: Linksys WRT54G Management Interface DoS Vulnerability

From: iDEFENSE Labs (labs-no-reply_at_idefense.com)
Date: 09/13/05

  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 09.13.05: Linksys WRT54G 'upgrade.cgi' Firmware Upload Design Error Vulnerability" 
    Date: Tue, 13 Sep 2005 17:18:39 -0400
To: <bugtraq@securityfocus.com>, <vulnwatch@vulnwatch.org>, <full-disclosure@lists.grok.org.uk>

    Linksys WRT54G Management Interface DoS Vulnerability

    iDEFENSE Security Advisory 09.13.05
    www.idefense.com/application/poi/display?id=308&type=vulnerabilities
    September 13, 2005

    I. BACKGROUND

    The Linksys WRT54G is a combination wireless access point, switch and
    router. More information is available at the following URL:

      http://www.linksys.com/products/product.asp?prid=508

    II. DESCRIPTION

    Remote exploitation of an input validation error within the web
    management httpd component of Cisco Systems Inc.'s Linksys WRT54G
    wireless router may allow unauthenticated users to cause a denial of
    service (DoS).

    The vulnerability exists in several of the "POST" method handlers of the
    httpd running on the router's internal interfaces, including by default
    the wireless interface. In addition to not checking if authentication
    has failed until after data supplied by an external user has been
    processed, there are several places where the Content-Length is assumed
    to be valid. In some of those cases, data is read in without error
    checking while decrementing the length value. If the Content Length is
    set to a negative number, these checks will take an extremely long time,

    during which the httpd will become unresponsive.

    III. ANALYSIS

    An unauthenticated remote attacker may cause a DoS on the affected
    router. Exploitation of this vulnerability would require that an
    attacker can connect to the web management port of the router. The httpd

    is running by default, but is only accessible via the LAN ports or the
    WLAN (wireless LAN).

    Although this DoS is against the httpd itself, it may cause a higher
    than normal load on the router, which may be sufficient to cause packet
    loss. The httpd will also be unavailable. This may be sufficient to
    cause to owner to restart the device, which could in turn trigger
    changes made by a previous vulnerability.

    IV. DETECTION

    iDEFENSE has confirmed the existence of this vulnerability in version
    3.01.3 of the firmware of the Linksys WRT54G wireless router, and has
    identified the same code is present in versions 3.03.6 and 4.00.7.
    All versions prior to 4.20.7 may be affected.

    V. WORKAROUND

    To mitigate exposure of the internal network to outside attackers,
    ensure encryption is enabled on the wireless interface. The exact
    settings to use depend on your wireless deployment policies.

    VI. VENDOR RESPONSE

    http://www.linksys.com/servlet/Satellite?childpagename=US%2FLayout
     
    &packedargs=c%3DL_Download_C2%26cid%3D1115417109974%26sku%3D112491680264
    5
     &pagename=Linksys%2FCommon%2FVisitorWrapper

    VII. CVE INFORMATION

    A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
    been assigned yet.

    VIII. DISCLOSURE TIMELINE

    07/05/2005 Initial vendor notification
    07/25/2005 Initial vendor response
    09/13/2005 Coordinated public disclosure

    IX. CREDIT

    This vulnerability was discovered by Greg MacManus of iDEFENSE Labs.

    Get paid for vulnerability research
    http://www.idefense.com/poi/teams/vcp.jsp

    Free tools, research and upcoming events
    http://labs.idefense.com

    X. LEGAL NOTICES

    Copyright (c) 2005 iDEFENSE, Inc.

    Permission is granted for the redistribution of this alert
    electronically. It may not be edited in any way without the express
    written consent of iDEFENSE. If you wish to reprint the whole or any
    part of this alert in any other medium other than electronically, please
    email customerservice@idefense.com for permission.

    Disclaimer: The information in the advisory is believed to be accurate
    at the time of publishing based on currently available information. Use
    of the information constitutes acceptance for use in an AS IS condition.
    There are no warranties with regard to this information. Neither the
    author nor the publisher accepts any liability for any direct, indirect,
    or consequential loss or damage arising from use of, or reliance on,
    this information.

  • Next message: iDEFENSE Labs: "[VulnWatch] iDEFENSE Security Advisory 09.13.05: Linksys WRT54G 'upgrade.cgi' Firmware Upload Design Error Vulnerability"

    Relevant Pages