LG Electronics LG3100p router
From: Lukasz Bromirski (lbromirski@mr0vka.eu.org)Date: 08/22/02
- Previous message: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Aug 2002 10:19:04 +0200 (CEST) From: Lukasz Bromirski <lbromirski@mr0vka.eu.org> To: bugtraq@securityfocus.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Issue: ----------------------------------------------------------------|
LG Electronics LR3100p is a small WAN router, with two WAN interfaces
and one Ethernet. It comes with no access lists defined, which enables
administrator to connect to port 23/tcp (telnet). However, IP stack of
LR3100p has several bugs, that can be exploited via network.
Description: ----------------------------------------------------------|
When configured without access lists protecting port 23, the LR3100p is
vulnerable to at least three (3) bugs, resulting from memory allocation
function buffer overflows.
(1)
First is exploitable without any access to user account at the router.
Only thing needed is access to port 23/tcp. If the router is attacked
with data stream (can be any characters, both randomized and text-only
input was used during testing) coming to that port it will reboot,
usually with no message.
(2)
Second bug is applicable only to software revisions up to and including
1.30. Few packets generated via simple scanning (for example nmap with
`-O' option) can result in reboot of the router with following message:
Exception 1400 at IP 12afc4
(3)
Third bug is directly in the telnet service, when checking passwords.
The same technique with random data stream is used, however few ENTER
characters should be sent at first, to overcome router primary prompt
waiting for that key to be pressed. The stream length was measured to
be about 40kB. Also in this case, router reboots with no message.
Vulnerable versions: --------------------------------------------------|
Versions up to and including 1.30 are vulnerable to all bugs mentioned.
Release 1.50 is vulnerable only to first and third bug. The vendor
representative was informed about the vulnerabilities on 2002-04-18,
and LG has recently released `fixed' release 1.52 which, however,
is still vulnerable to first and third bug. This was signalled but
with no response.
Info on this advisory: ------------------------------------------------|
This advisory can be accessed on-line at my personal site:
http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.txt
My personal PGP key fingerprint is:
5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49
My personal PGP key is located at:
http://mr0vka.eu.org/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9Y1PiYqhjwgk7bEkRApWcAJ4kYv9uQcaFsqtoyKyopvMXAvMUXQCgyTWH
cl5IBM6E9JFpj6WoSggy+uE=
=1kQa
-----END PGP SIGNATURE-----
-- Łukasz Bromirski lbromirski[at]mr0vka.eu.org PGP key http://mr0vka.eu.org/pgp.asc http://mr0vka.eu.org PGP finger 5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49
- Previous message: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
