Linksys WRT54G Router Administration Interface Bugs Let Remote Users Modify the Configuration, Execute Arbitrary Code, or Deny Service
|
|
SecurityTracker Alert ID: 1014894 |
|
SecurityTracker URL: http://securitytracker.com/id/1014894
|
|
CVE Reference:
CAN-2005-2799
(Links to External Site)
|
Updated: Sep 13 2005
|
Original Entry Date: Sep 13 2005
|
Impact:
Denial of service via network, Execution of arbitrary code via network, Modification of system information, Root access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): Model WRT54G; firmware prior to 4.20.7
|
Description:
A vulnerability was reported in Linksys WRT54G Router. A remote user can change the device configuration or execute arbitrary code on the target device. A remote user can also deny servie to the management interface.
The 'ezconfig.asp' script does not properly authenticate user-supplied requests. In certain cases where no authentication has occured on the device since the last reboot, a remote user that can determine an encryption key used by the device can upload a new configuration to the target device.
The 'apply.cgi' script contains a buffer overflow [CVE: CAN-2005-2799]. A remote user can send a specially crafted POST request with more than 10000 bytes to trigger the overflow and cause the device to crash and reboot or to execute arbitrary code on the target system.
The 'restore.cgi' script does not properly authenticate user-supplied POST requests until after the request is processed. A remote user can exploit this to upload a new configuration to non-volatile memory on the target device. The new configuration will be loaded the next time the device reboots as long as no newer configuration modifications are made.
The 'upgrade.cgi' script is affected by the same authentication flaw.
Several scripts do not properly process user-supplied POST requests submitted to the management interface. A remote user can send a specially crafted request with a Content-Length header set to a negative value to cause the target web service to take a long time to process the request, potentially causing denial of service conditions on the web service.
The vendor was notified of one vulnerability on June 5, 2005, two of the vulnerabilities on June 7, 2005, and three of the vulnerabilities on July 5, 2005.
Greg MacManus of iDEFENSE Labs discovered two of these vulnerabilities.
The original advisories are available at:
http://www.idefense.com/application/poi/display?id=304&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=305&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=306&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=307&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=308&type=vulnerabilities
|
Impact:
A remote user can change the configuration on the target device.
A remote user can execute arbitrary code on the target device.
A remote user can cause denial of service conditions on the management interface.
|
Solution:
The vendor has issued a fixed version (4.20.7) to address the 'restore.cgi' and 'upgrade.cgi' authentication flaws and the 'apply.cgi' buffer overflow.
[Editor's note: It is not clear if the fix also applies to the 'ezconfig.asp' vulnerability and the denial of service vulnerability, as the vendor link provided in the report was not functioning at the time of this entry and the report was unclear.]
|
Vendor URL: www.linksys.com/ (Links to External Site)
|
Cause:
Authentication error, Boundary error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 13 Sep 2005 17:04:43 -0400
Subject: Linksys Router vulnerabilities
|
http://www.idefense.com/application/poi/display?id=304&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=305&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=306&type=vulnerabilities
|
|
