Linksys router vulnerability

From: Seth Bromberger (sbbugtraq1102at_private)
Date: Mon Nov 18 2002 - 14:00:14 PST

Next message: Aviram Jenik: "TFTPD32 Directory Traversal Vulnerability"

Previous message: Liu Die Yu: "(MSIE) when parent gives his son bad things ;) --"dialogArguments " again"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

SUMMARY:
Linksys products running affected firmware versions
are susceptible to a bug that allows unauthenticated
access to the management interface.  This bug affects
both local and remote management (if enabled).

AFFECTED PRODUCTS (per Linksys support):
BEFSR41, BEFSR11, BEFSRU31:
  firmware versions from 1.41 through 1.43
BEFW11S4:
  firmware versions from 1.42.7 through 1.43.

IMPACT:
Users on the protected ("local") network can gain
administrative access to the Linksys router and may
view/alter configuration data.  If remote management
is enabled, users on the unprotected ("wide-area")
network may gain similar access.

Note that for the BEFW11S4, the "local" network
includes all devices able to associate with the access
point.

RESOLUTION:
Linksys has released firmware version 1.43.3 that
resolves this issue on the tested equipment (BEFSR41).
 It is assumed that the problem is resolved with this
firmware version on all affected products.

DETAIL:
It appears that the Linksys HTTP management interface
does not handle cases where the client sends specific
XML-related data during the initial content
negotiation ("XML related entries in the mailcap
file").

VERIFICATION/TEST SETUP:
Test setup included the following hardware/software:
- BEFSR41 firewall/router with firmware version 1.43
- lynx browser version 2.8.4rel.1 (17 Jul 2001)
- ~/.mailcap with the following line:
application/foo.xml;

Using lynx with the above mailcap, connect to the
management interface (remote interface listens on port
8080 when enabled).  Affected versions will display
the setup screen without requiring the user to enter a
password.  (Note: mailcap is generally installed as
~/.mailcap).  Navigation to other screens is possible,
though some "accept" buttons might not render if the
browser used is unable to process javascript.

TIMELINE:
Linksys was notified of this bug on 11 November 2002. 
The bug was confirmed on 12 November 2002.  A beta
firmware update was tested on 15 November 2002; the
new firmware (1.43.3, 11/15/2002) is now available on
the Linksys web site.

THANKS:
Andreas Bang and Jay Price at Linksys were
instrumental in determining the scope of this problem,
and provided prompt, detailed feedback.



__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com

Next message: Aviram Jenik: "TFTPD32 Directory Traversal Vulnerability"
Previous message: Liu Die Yu: "(MSIE) when parent gives his son bad things ;) --"dialogArguments " again"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 20 2002 - 00:24:48 PST