|
DigitalPranksters Security Advisory <http://www.DigitalPranksters.com> LinkSys EtherFast Router Denial of Service Attack Risk: Low Product: Linksys EtherFast Cable/DSL Firewall Router BEFSX41 (Firmware 1.44.3) Product URL: <http://www.linksys.com/products/product.asp?prid=433> Vendor Contacted: September 9, 2003 Vendor Released Patch: September 26, 2003 DigitalPranksters Public Advisory Released: October 7, 2003 Found By: KrazySnake - krazysnake@digitalpranksters.com <mailto:krazysnake@digitalpranksters.com> Problem: The Linksys BEFSX41 has web-based administration utility at a predictable default address (<http://192.168.1.1>). The administration is done through a series of html forms using the "get" method. The router also has an out of the box password of "admin". Under the default configuration the router is only accessible from the local lan and not the internet. However, an attacker could set up a web page or send html email to someone inside of the lan to indirectly send commands to the router. An attacker could specify a URL that results in denial of service. The denial of service occurs when long string is sent to the System Log Viewer's "Log_Page_Num" parameter. The router will be unresponsive after the URL is visited when logging is enabled. Proof of Concept: If an attacker can get the admin of the router to view a URL like <http://192.168.1.1/Group.cgi?Log_Page_Num=1111111111&LogClear=0>, the router will become inoperable. The link could be set as the source of an image html tag. Resolution: Linksys released an updated firmware to address this issue. This firmware update is made available by Linksys from <http://www.linksys.com/download/firmware.asp?fwid=172>. Greetings: SkippyInside, AngryB, Harmo, HTMLBCat, and Spyder. Thanks to Linksys for fixing this issue. Disclaimer: Standard disclaimer applies. The opinions expressed in this advisory are our own and not of any company. The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.