Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: Linksys Router Owners - HEADS UP!

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    Linksys Router Owners - HEADS UP!

    This was posted to bugtraq today. I know that many of you (including myself) use these routers at home. See below.


    Denial of Service Vulnerability in

    Linksys BEFSR41 - Router vuln was identified and tested on.

    Linksys BEFSR41 v3

    Linksys BEFSRU31

    Linksys BEFSR11

    Linksys BEFSX41

    Linksys BEFSR81 v2/v3

    Linksys BEFW11S4 v3

    Linksys BEFW11S4 v4

    Available from www.linksys.com

    October 19, 2003 (Revised November 10, 2003)

    Released Date: 3rd June 2004

    NOTE: THIS ADVISORY WAS ORIGINALLY WITTEN FOR THE

    Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch



    I. BACKGROUND



    Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch

    "is the perfect option to connect multiple PCs to a high-speed

    Broadband Internet connection or to an Ethernet back-bone. Allowing

    up to 253 users, the built-in NAT technology acts as a firewall

    protecting your internal network." More information about it is

    available at

    http://www.linksys.com/products/prod...rid=20&grid=23



    II. DESCRIPTION



    It is possible for a remote/local attacker to crash the linksys router and

    leave it in a state that it can't be accessed even after reboot due to an

    invalid password. An attacker could set up a web page or send an html

    email to someone inside the LAN to indirectly send commands to the router.

    An attacker could specify a URL that results in denial of service. The DoS

    Occurs when 2 long strings are sent to the sysPasswd and sysPasswdConfirm

    Parameters on the Gozila.cgi script, about 150 characters to each parameter

    Seems to work fine. If an attacker can get the admin of the router to view a link

    Or goto a webpage that links to such a link as this.



    http://192.168.1.1/Gozila.cgi?sysPas...AAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&sysPasswdConfirm=AAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAA&UPnP_Work=1&FactoryDefaults=0



    The router will drop all internet connections making the internet inaccessible from the

    LAN even if the router is powered off and back on. It also seems to change the

    password in such a way that the admin can't log back into the router and the only way

    to solve it is by pressing the factory reset button on the front of the router, Which will

    then reset all previously stored settings and reset the password back to factory default

    'admin'. The router would then need to be set back up again from scratch.





    REVISED NOVEMBER 10, 2003





    On November 10 2003 I found another overflow in linksys router which is a similar attack

    method to the first vuln in this advisory. The DoS occurs in this attack when a long

    string about 350 characters is passed to the 'DomainName' parameter of the Gozila.cgi

    script. An example of this attack would be to get the admin of a router to visit a link

    like this.



    http://192.168.1.1/Gozila.cgi?hostNa...AAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&WANConnectionSel=0&ipAddr1=192&ipAddr2=168&

    ipAddr3=1&ipAddr4=1&netMask=0&WANConnectionType=1



    This would cause the router to crash and the Factory reset button on the front of the

    Router would need to be pressed to restore it back to normal working order.







    III. ANALYSIS



    Exploitation may be particularly dangerous, especially if the router's remote

    management capability is enabled. It may also be easily exploited by fooling

    an admin of the router into clicking a link he/she thinks is valid. This is probably

    vuln in older version of the firmware.



    IV. DETECTION



    This vulnerability affects the BEFSR41 EtherFast Cable/DSL router with the latest

    firmware version 1.45.7 I also tested version 1.44.2z which is also vuln so probably

    all other version below this are also vuln . It may also be possible that other version of

    Linksys routers are vuln to this attack if they use the same type of management. I'm unable

    to confirm any other models that are vuln to this attack. The Linksys BEFSRU31 and BEFSR11

    use the same version of firmware as the BEFSR41 so they are probably vuln.



    NOTE ADDED June 3rd 2004:

    The Vendor confirmed this vuln in all version stated at the start of this advisory



    V. RECOVERY



    Pressing the reset button on the front of the router and setting it back up from scratch

    should restore normal functionality to the router.



    VI. WORKAROUND



    Don't click untrusted links.



    VII. VENDOR

    19 Oct 2003: First vuln discovered.

    10 Nov 2003: Second vuln discovered.

    01 Dec 2003: Vendor contacted via security@linksys.com

    01 Dec 2003: Response Recived from jay.price@linksys.com

    10 Dec 2003: Issue been turned over to project manager andreas.bang@linksys.com

    17 Dec 2003: I was sent a beta release of the new firmware witch fixed the vuln but

    had a bug where the logging function wouldn't work.

    22 DEc 2003: andreas.bang@linksys.com now moved office now to contact anbang@cisco.com

    29 Jan 2004: Was told patches would be up in the next week

    29 Feb 2004: They said there was a problem with the code, still no patches

    24 Mar 2004: Recived a email about patches saying.

    BEFSR41 v3(Post on by 3/31)

    BEFSX41 (posted)

    BEFSR81 v2/v3(in progress)

    BEFW11S4 v3(post by 3/31)

    BEFW11S4 v4(posted)

    02 Jun 2004: Advisory released to public still no patch for the Linksys BEFSR41

    EtherFast Cable/DSL Router with 4-Port Switch

    http://www.linksys.com/download/firmware.asp?fwid=3

    The version this advisory was first written for it still remains vuln to date.





    b0f (Alan McCaig)

    b0fnet@yahoo.com

    www.b0f.net
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I believe the pertinent phrase was if they can get admin access.... I'll test it tonight but I don't think you can get to the syspassword and sysconfirmpassword or anything else directly without first getting admin access.

    Thus, right now I'm guessing, but changing the password to anything from the default should prevent this.

    Additionally, most of these routers are left in their default factory configuration by the users so pressing the factory reset returns it to a fully functional state in seconds....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Yeah, and a big if might I add.

    The router will drop all internet connections making the internet inaccessible from the

    LAN even if the router is powered off and back on.
    That's quite scary for any regular PC user that has one of these and just has a few PC's linked up. What's even more scarier could be this part:

    It also seems to change the

    password in such a way that the admin can't log back into the router and the only way

    to solve it is by pressing the factory reset button on the front of the router
    Now sure it could be solved a couple way's (one being mentioned is to his the reset button) but this could cause major problem's for routed computer's of home user's (as well as companies, networks, etc). Thanks for the head's up thehorse13, I should subscribe to bugtraq.
    Space For Rent.. =]

  4. #4
    () \/V |\| 3 |) |3\/ |\|3G47|\/3
    Join Date
    Sep 2002
    Posts
    744
    Originally posted here by Spyder32
    Thanks for the head's up thehorse13, I should subscribe to bugtraq.
    ...and here is a link to bugtraq if you want to subscribe to their mailing lists. Be warned you *will* receive a lot of mail...but it's good stuff!

    Go Finland!
    Deviant Gallery

  5. #5
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Originally posted here by Spyder32
    Yeah, and a big if might I add.



    That's quite scary for any regular PC user that has one of these and just has a few PC's linked up. What's even more scarier could be this part:



    Now sure it could be solved a couple way's (one being mentioned is to his the reset button) but this could cause major problem's for routed computer's of home user's (as well as companies, networks, etc). Thanks for the head's up thehorse13, I should subscribe to bugtraq.
    Even worse are the users like myself who have the BEFSR81 and have a lot of customized settings, port forwarding, and the like. Most users, from what I've seen, use the DHCP functions and hence, resetting to a default state wouldn't be too bad. Now if you have a static IP, you have to re-enter all that information and if you assign static IPs like I do, that has to be redone as well.

    Irritation all around, either way.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  6. #6
    Ah, the good people at AO watching bugtraq ever so close.
    I sold these two four port models awhile back. BEFSR41 & BEFSX41 time to make a couple of emails.
    Maybe this will actually free up some of those Call_Of_Duty servers


    Good eye.

  7. #7
    Well, I just tried this and I have to say something wierd happened. It did not shut down all the internet traffic, it did something worse. It dumped me right into the configuration page. No additional password necessary. Even worse, I'm not being asked to login. just constantly being dumped into the configuration screen.

    If you'll excuse me, i'm going to reboot my router now...

    BTW: i'm using a linksys WRT54G firmware version 2.02.7

    Oh, here's the link i used... i'll remove it if any moderators want me to:
    http://192.168.1.1/Gozila.cgi?sysPas...ctoryDefults=0
    You are so bored that you are reading my signature?

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Well, i just tried this and i have to say something wierd happened. It did not shut down all the internet traffic, it did something worse. It dumped me right into the configuration page! No additional password necessary. Even worse! i'm not being asked to login! just constantly being dumped into the configuration screen!

    If you'll excuse me, i'm going to reboot my router now...

    BTW: i'm using a linksys WRT54G firmware version 2.02.7
    You may have found a new bug since your model is not listed among the ones tested. Submit the details to security@linksys.com. You should receive a beta build of firmware from them if they confirm the issue.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Yay! my first hack! oh well, still a skiddy since i have no idea what went wrong...

    Thanks for the e-mail link TH13, i sent them all the information i could.

    Also, upon hitting the reset switch everything went back to my normal settings... not the factory default... but that's because i only pressed the button instead of holding it for 5 seconds.
    You are so bored that you are reading my signature?

  10. #10
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Annihilator_god > I just tried that on my router (WRT54G, Firmware v2.02.2), but it doesn't do anything (abnormal).

    Here's the link I tried. To avoid the link being *****ed up, it's in quote-tags...


    BTW: you have a little error in your link (unless that's what causes the error: you have Defults in stead of Defaults ).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •