LG Electronics LG3100p router

From: Lukasz Bromirski (lbromirskiat_private)
Date: Thu Aug 22 2002 - 01:19:04 PDT

Next message: Auriemma Luigi: "Abyss 1.0.3 directory traversal and administration bugs"

Previous message: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Issue: ----------------------------------------------------------------|

 LG Electronics LR3100p is a small WAN router, with two WAN interfaces
 and one Ethernet. It comes with no access lists defined, which enables
 administrator to connect to port 23/tcp (telnet). However, IP stack of
 LR3100p has several bugs, that can be exploited via network.

Description: ----------------------------------------------------------|

 When configured without access lists protecting port 23, the LR3100p is
 vulnerable to at least three (3) bugs, resulting from memory allocation
 function buffer overflows.

 (1)
 First is exploitable without any access to user account at the router.
 Only thing needed is access to port 23/tcp. If the router is attacked
 with data stream (can be any characters, both randomized and text-only
 input was used during testing) coming to that port it will reboot,
 usually with no message.

 (2)
 Second bug is applicable only to software revisions up to and including
 1.30. Few packets generated via simple scanning (for example nmap with
 `-O' option) can result in reboot of the router with following message:

 Exception 1400 at IP 12afc4

 (3)
 Third bug is directly in the telnet service, when checking passwords.
 The same technique with random data stream is used, however few ENTER
 characters should be sent at first, to overcome router primary prompt
 waiting for that key to be pressed. The stream length was measured to
 be about 40kB. Also in this case, router reboots with no message.

Vulnerable versions: --------------------------------------------------|

 Versions up to and including 1.30 are vulnerable to all bugs mentioned.
 Release 1.50 is vulnerable only to first and third bug. The vendor
 representative was informed about the vulnerabilities on 2002-04-18,
 and LG has recently released `fixed' release 1.52 which, however,
 is still vulnerable to first and third bug. This was signalled but
 with no response.

Info on this advisory: ------------------------------------------------|

 This advisory can be accessed on-line at my personal site:
 http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.txt

 My personal PGP key fingerprint is:
 5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C49
 My personal PGP key is located at:
 http://mr0vka.eu.org/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE9Y1PiYqhjwgk7bEkRApWcAJ4kYv9uQcaFsqtoyKyopvMXAvMUXQCgyTWH
cl5IBM6E9JFpj6WoSggy+uE=
=1kQa
-----END PGP SIGNATURE-----

-- 
Łukasz Bromirski                    lbromirski[at]mr0vka.eu.org
PGP key http://mr0vka.eu.org/pgp.asc       http://mr0vka.eu.org
PGP finger   5C3B 723F A1FA A2BA E57A  E959 62A8 63C2 093B 6C49

Next message: Auriemma Luigi: "Abyss 1.0.3 directory traversal and administration bugs"
Previous message: Steffen Dettmer: "Re: @(#)Mordred Labs advisory 0x0003: Buffer overflow in PostgreSQL"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 22 2002 - 11:53:21 PDT