COMMAND

	SOHO Routefinder 550 VPN Denial of Service and Buffer Overflow

SYSTEMS AFFECTED

	 RF550VPN Firmware v463, v464 beta
	 prior versions are vulnerable - other models might be affected as well

PROBLEM

	In Peter Kruse Advisory [http://www.krusesecurity.dk]:
	
	 Legal Notice:
	
	This Advisory is copyright by  Peter  Kruse.  You  may  distribute  this
	unmodified.
	
	 Disclaimer:
	
	The opinions expressed in this advisory are my own and not that  of  any
	company. The usual standard  disclaimer  applies,  especially  the  fact
	that Peter Kruse or Kruse Security is not liable for any damages  caused
	by direct or indirect use of the information or  functionality  provided
	by this advisory or program.
	
	 Vendor Description:
	
	The  SOHO  RouteFinder  is  ideal  for  the  small  branch   office   or
	telecommuter who needs secure access to the corporate LAN.  In  addition
	to providing a WAN Ethernet port for DSL  or  cable  broadband  Internet
	access,  it  also  offers  both   client-to-LAN   and   LAN-to-LAN   VPN
	connectivity based on the IPSec protocol. It  supports  up  to  5  IPSec
	tunnels and provides 3DES encryption with 700K bps throughput.
	
	 Problem:
	
	The Multitech Routefinder supports  login  through  a  webinterface.  By
	default the interface is enabled on the LAN side with  a  default  login
	"admin" and a blank password.
	
	The weakness is found in the web software implemented on the  router.  A
	user on the LAN side is able to initiate  a  Denial  of  Service  attack
	against the router and cause it to fail to  respond.  This  would  block
	all Internet trafic. More scary  the  fact  that  it's  possible  for  a
	remote hostile attacker to execute code on the  box.  This  is  critical
	since the router is mainly used as a VPN box for  the  SOHO  market.  In
	order to attack the box from the  outside  it  would  require  that  the
	webinterface is enabled on the external side. This would often  be  done
	for remote administration.
	
	 Description:
	
	The flaw can be exploited with a GET /OPTIONS parameter.
	By supplying an overlong URL: GET /OPTIONS AAAAA..[Ax10001]..AAAAA.HTML HTTP/1.1 we can 
	break the box. This  allows  a  hostile  user  to  corrupt  memory  with
	attacker-supplied data.
	
	When the box receives the overlong URL it will reboot.
	
	

SOLUTION

	Multitech has released new firmware that fixes this issue.
	
	The firmware can be downloaded from this URL:
	
	http://www.multitech.com/SUPPORT/SOHO_VPN/firmware.asp
	
	(Please note that the firmaware that fixes this issue is still  named  v
	4.63).
	
	Log:
	
	12.2.2003: Vendor contacted at (sales,support,security@multitech.com)
	17.2.2003: Vendor contacted - reminder
	19.2.2003: Reply - working to reproduce the problem
	28.2.2003: Proof of concept code supplied in order to reproduce problem
	7.3.2003:  New firmware released - Tested and confirmed to fix the problem
	11.3.2003:  Official release of this advisory
	
	
	This advisory can be found online on:
	
	http://www.krusesecurity.dk/advisories/routefind550bof.txt