This was posted to bugtraq today. I know that many of you (including myself) use these routers at home. See below.


Denial of Service Vulnerability in

Linksys BEFSR41 - Router vuln was identified and tested on.

Linksys BEFSR41 v3

Linksys BEFSRU31

Linksys BEFSR11

Linksys BEFSX41

Linksys BEFSR81 v2/v3

Linksys BEFW11S4 v3

Linksys BEFW11S4 v4

Available from www.linksys.com

October 19, 2003 (Revised November 10, 2003)

Released Date: 3rd June 2004

NOTE: THIS ADVISORY WAS ORIGINALLY WITTEN FOR THE

Linksys BEFSR41 EtherFast Cable/DSL Router with 4-Port Switch



I. BACKGROUND



Linksys Group Inc.'s EtherFast Cable/DSL Router with 4-Port Switch

"is the perfect option to connect multiple PCs to a high-speed

Broadband Internet connection or to an Ethernet back-bone. Allowing

up to 253 users, the built-in NAT technology acts as a firewall

protecting your internal network." More information about it is

available at

http://www.linksys.com/products/prod...rid=20&grid=23



II. DESCRIPTION



It is possible for a remote/local attacker to crash the linksys router and

leave it in a state that it can't be accessed even after reboot due to an

invalid password. An attacker could set up a web page or send an html

email to someone inside the LAN to indirectly send commands to the router.

An attacker could specify a URL that results in denial of service. The DoS

Occurs when 2 long strings are sent to the sysPasswd and sysPasswdConfirm

Parameters on the Gozila.cgi script, about 150 characters to each parameter

Seems to work fine. If an attacker can get the admin of the router to view a link

Or goto a webpage that links to such a link as this.



http://192.168.1.1/Gozila.cgi?sysPas...AAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&sysPasswdConfirm=AAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAA&UPnP_Work=1&FactoryDefaults=0



The router will drop all internet connections making the internet inaccessible from the

LAN even if the router is powered off and back on. It also seems to change the

password in such a way that the admin can't log back into the router and the only way

to solve it is by pressing the factory reset button on the front of the router, Which will

then reset all previously stored settings and reset the password back to factory default

'admin'. The router would then need to be set back up again from scratch.





REVISED NOVEMBER 10, 2003





On November 10 2003 I found another overflow in linksys router which is a similar attack

method to the first vuln in this advisory. The DoS occurs in this attack when a long

string about 350 characters is passed to the 'DomainName' parameter of the Gozila.cgi

script. An example of this attack would be to get the admin of a router to visit a link

like this.



http://192.168.1.1/Gozila.cgi?hostNa...AAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&WANConnectionSel=0&ipAddr1=192&ipAddr2=168&

ipAddr3=1&ipAddr4=1&netMask=0&WANConnectionType=1



This would cause the router to crash and the Factory reset button on the front of the

Router would need to be pressed to restore it back to normal working order.







III. ANALYSIS



Exploitation may be particularly dangerous, especially if the router's remote

management capability is enabled. It may also be easily exploited by fooling

an admin of the router into clicking a link he/she thinks is valid. This is probably

vuln in older version of the firmware.



IV. DETECTION



This vulnerability affects the BEFSR41 EtherFast Cable/DSL router with the latest

firmware version 1.45.7 I also tested version 1.44.2z which is also vuln so probably

all other version below this are also vuln . It may also be possible that other version of

Linksys routers are vuln to this attack if they use the same type of management. I'm unable

to confirm any other models that are vuln to this attack. The Linksys BEFSRU31 and BEFSR11

use the same version of firmware as the BEFSR41 so they are probably vuln.



NOTE ADDED June 3rd 2004:

The Vendor confirmed this vuln in all version stated at the start of this advisory



V. RECOVERY



Pressing the reset button on the front of the router and setting it back up from scratch

should restore normal functionality to the router.



VI. WORKAROUND



Don't click untrusted links.



VII. VENDOR

19 Oct 2003: First vuln discovered.

10 Nov 2003: Second vuln discovered.

01 Dec 2003: Vendor contacted via security@linksys.com

01 Dec 2003: Response Recived from jay.price@linksys.com

10 Dec 2003: Issue been turned over to project manager andreas.bang@linksys.com

17 Dec 2003: I was sent a beta release of the new firmware witch fixed the vuln but

had a bug where the logging function wouldn't work.

22 DEc 2003: andreas.bang@linksys.com now moved office now to contact anbang@cisco.com

29 Jan 2004: Was told patches would be up in the next week

29 Feb 2004: They said there was a problem with the code, still no patches

24 Mar 2004: Recived a email about patches saying.

BEFSR41 v3(Post on by 3/31)

BEFSX41 (posted)

BEFSR81 v2/v3(in progress)

BEFW11S4 v3(post by 3/31)

BEFW11S4 v4(posted)

02 Jun 2004: Advisory released to public still no patch for the Linksys BEFSR41

EtherFast Cable/DSL Router with 4-Port Switch

http://www.linksys.com/download/firmware.asp?fwid=3

The version this advisory was first written for it still remains vuln to date.





b0f (Alan McCaig)

b0fnet@yahoo.com

www.b0f.net