[ISN] Linksys routers may be open to remote sniffing

From: InfoSec News (isn@private)
Date: Wed Jun 02 2004 - 01:44:28 PDT

  • Next message: InfoSec News: "[ISN] Insecure at Softbank"

    By Fernando Cassia
    02 June 2004
    FOLKS AT security portal SecuriTeam published on May 17 an exploit
    that could allow hackers and other nasty people to remotely sniff
    traffic passing through the router, and also crash the device.  The
    article says it all comes down to a "memory leak", causing a flaw in
    the way the Linksys routers' DHCP server returns BOOTP protocol
    packets. This exploit is currently listed at position #3 in the
    SecuriTeam.com front page, so expect lots of script kiddies to be
    playing with it as we write (and you read) this.
    The site says: "Instead of returning legitimate BOOTP responses, (the
    linksys units) return BOOTP responses with the BOOTP fields filled in
    with portions of memory. This allows you to do cool things like the
    equivalent of sniffing all the traffic to/from the device". It
    continues: "I have successfully used this technique to steal the admin
    username and password from an innocent third party who recently
    configured the device, and I watched someone's traffic as they browsed
    ebay for a new Ti-Book".
    The exploit code indicates the vulnerability has been tested "on a
    fully updated Linksys BEFSR41 and BEFW11S4" but the author of this
    exploit, who signs his code under the name Jon Hart, hints that all
    other Linksys routers which have a dhcp server could be vulnerable
    "Currently, this looks to include at least the BEFN2PS4, BEFSR41,
    BEFVP41, WRT55AG, WRV54G, WRT51AB", he writes.
    As the owner and active user of one Linksys BEFSR-41 since mid-2000,
    which is my first line of defense between my home LAN and the
    Interweb, I first checked my unit's current firmware level (1.45.7
    dated June 2003) and then rushed to the Linksys site, expecting to see
    an updated firmware, given the publication of this exploit over two
    weeks ago. I was shocked when I found that Linksys hasn't even touched
    the BEFSRxx firmware in about a year.
    At the time of writing this, the last firmware on the Linksys web page
    for the very popular BEFSR41 routers is 1.45.7, dated June 2003. I
    remember that Linksys used to update its firmware on a monthly basis,
    sometimes faster, back in the days it was a small company trying to
    beat the big guys.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Wed Jun 02 2004 - 04:04:01 PDT