[VulnWatch] SOHO Routefinder 550 VPN, DoS and Buffer Overflow

From: Peter Kruse (kruseat_private)
Date: Tue Mar 11 2003 - 11:24:25 PST

Next message: Peter Kruse: "SOHO Routefinder 550 VPN, DoS and Buffer Overflow"

Previous message: http-equivat_private: "Re: .MHT Buffer Overflow in Internet Explorer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Name:              SOHO Routefinder 550 VPN, DoS and Buffer Overflow
Date:              11th of Marts 2003
Software affected: RF550VPN Firmware v463, v464 beta
                   (prior versions are vulnerable - other models might
be affected as well!)
Advisory:
http://www.krusesecurity.dk/advisories/routefind550bof.txt
Vendor:            http://www.multitech.com
Risk:              Medium/High

Legal Notice:

This Advisory is copyright by Peter Kruse. 
You may distribute this unmodified.

Disclaimer:

The opinions expressed in this advisory are my own and not that of any
company. 
The usual standard disclaimer applies, especially the fact that Peter
Kruse 
or Kruse Security is not liable for any damages caused by direct or
indirect 
use of the information or functionality provided by this advisory or
program.

Vendor Description:

The SOHO RouteFinder is ideal for the small branch office or
telecommuter who needs 
secure access to the corporate LAN. In addition to providing a WAN
Ethernet port 
for DSL or cable broadband Internet access, it also offers both
client-to-LAN and 
LAN-to-LAN VPN connectivity based on the IPSec protocol. It supports up
to 5 IPSec 
tunnels and provides 3DES encryption with 700K bps throughput.

Problem:

The Multitech Routefinder supports login through a webinterface. By
default the
interface is enabled on the LAN side with a default login "admin" and a
blank
password.

The weakness is found in the web software implemented on the router. 
A user on the LAN side is able to initiate a Denial of Service attack
against 
the router and cause it to fail to respond. This would block all
Internet trafic.
More scary the fact that it's possible for a remote hostile attacker to
execute code 
on the box. This is critical since the router is mainly used as a VPN
box for the SOHO
market. In order to attack the box from the outside it would require
that the webinterface 
is enabled on the external side. This would often be done for remote
administration.

Description:

The flaw can be exploited with a GET /OPTIONS parameter. 
By supplying an overlong URL: GET /OPTIONS AAAAA..[Ax10001]..AAAAA.HTML
HTTP/1.1 we can 
break the box. This allows a hostile user to corrupt memory with
attacker-supplied data.

When the box receives the overlong URL it will reboot.

Solution:

Multitech has released new firmware that fixes this issue. 

The firmware can be downloaded from this URL:
http://www.multitech.com/SUPPORT/SOHO_VPN/firmware.asp
(Please note that the firmaware that fixes this issue is still named v
4.63.

Log:
12.2.2003: Vendor contacted at (sales,support,securityat_private)
17.2.2003: Vendor contacted - reminder
19.2.2003: Reply - working to reproduce the problem
28.2.2003: Proof of concept code supplied in order to reproduce problem
7.3.2003:  New firmware released - Tested and confirmed to fix the
problem
11.3.2003:  Official release of this advisory

This advisory can be found online on my homepage:
http://www.krusesecurity.dk/advisories/routefind550bof.txt

Kind regards

Peter Kruse
Security Consultant
Kruse Security
http://www.krusesecurity.dk

Next message: Peter Kruse: "SOHO Routefinder 550 VPN, DoS and Buffer Overflow"
Previous message: http-equivat_private: "Re: .MHT Buffer Overflow in Internet Explorer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 12:09:41 PST