LG Electronics LG3001f router

From: Bromirski, Lukasz (LBromirskiat_private)
Date: Wed Aug 21 2002 - 02:10:33 PDT

Next message: Ofir Arkin: "More Vulnerabilities with Pingtel xpressa SIP-based IP phones"

Previous message: EXT-Bellers, Chris: "Win32 API 'shatter' vulnerability found in VNC-based products"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Issue: ----------------------------------------------------------------|

 LG Electronics LR3001f is a WAN router. It comes with no access
 lists defined, which enables administrator to connect both to
 port 23/tcp (telnet) and 80/tcp (www server). However, IP stack of
 LR3001f has several bugs, that can be exploited via network.

Description: ----------------------------------------------------------|

 When configured without access lists protecting ports 23 or/and 80,
 the LR3001f is vulnerable to at least two bugs, resulting from
 memory allocation function buffer overflows.
   
 First is exploitable without any access to user account at the
 router. Only thing needed is access to port 23/tcp or 80/tcp. If
 the router is attacked with data stream (can be any characters,
 both randomized and text-only input was used during testing)
 targeted at one of the mentioned ports it will reboot, with one of
 the following messages:
   
 Router# [BUFFER] Unknown free 0xffffffff
 Router# can't malloc

 or

 Router# [BUFFER] ERROR free not in use
 Router# can't malloc

 Second bug is directly in the telnet service, when checking
 passwords. The same technique with random data stream is used,
 however few ENTER characters should be sent at first, to overcome
 router primary prompt waiting for that key to be pressed. In this
 case, router reboots with no message.

Vulnerable versions: --------------------------------------------------|

 All software versions up to and including 4.0 are vulnerable to all
 those types of attack.
   
 4.57 version downloadable from vendor website is vulnerable to second
 type of attack, however is not vulnerable to first type of attack.
   
 The vendor representative was informed about the vulnerabilities on
 2002-04-18. LG did not respond in any way and have not released any
 fixed or new software version.

Info on this advisory: ------------------------------------------------|

 This advisory can be accessed on-line at my personal site:
 http://mr0vka.eu.org/docs/advisories/lg-3001f-2002-04-18.txt
   
 My personal PGP key fingerprint is:
 5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C49
 My personal PGP key is located at:
 http://mr0vka.eu.org/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9Y1PDYqhjwgk7bEkRAphSAKDSip0f/1KhFKueNzGsyl5DcGaLSQCdF7LB
7+JjSjDOvMRTUt8uvtW9A80=
=AJQc
-----END PGP SIGNATURE----- 

-- 
Łukasz Bromirski                    lbromirski[at]mr0vka.eu.org
PGP key http://mr0vka.eu.org/pgp.asc       http://mr0vka.eu.org
PGP finger   5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C49

Next message: Ofir Arkin: "More Vulnerabilities with Pingtel xpressa SIP-based IP phones"
Previous message: EXT-Bellers, Chris: "Win32 API 'shatter' vulnerability found in VNC-based products"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 08:41:45 PDT