Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Router/Bridge/Hub)  >   SOHO RouteFinder Vendors:   Multi-Tech Systems
Multi-Tech's SOHO RouteFinder 550 VPN Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006267
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 11 2003
Impact:   Denial of service via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): RF550VPN
Description:   Several vulnerabilities were reported in the Multi-Tech SOHO RouteFinder 550 VPN gateway device. A remote user on the local area network (LAN) can execute arbitrary code on the system and can deny service to other router users.

Kruse Security reported that a remote user on the LAN-side interface can cause the router to stop responding to traffic by supplying a long HTTP GET OPTIONS request:


This will reportedly cause the router to reboot. By supplying this type of request repeatedly, prolonged denial of service conditions can be achieved.

A remote user can also execute code on the device by specially crafting the request, according to the report.

These vulnerabilities can only be exploited from the external interface only if remote management has been enabled.

It is also reported that the default configuration of the device is to enable web-based management on the LAN-side interface with a default username of "admin" and a blank password.

Impact:   A remote user on the LAN-side interface can cause the router to crash and then reboot or can cause the router to execute arbitrary code. A remote user on the LAN-side interface can also gain administrative access to the router in the default configuration if the administrator password has not been set.
Solution:   The vendor has reportedly released a fixed version of the firmware (it apparently is also named version 4.63, which is the same number as one of the affected versions). The fix is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error

Message History:   None.

 Source Message Contents

Subject:  [Full-Disclosure] SOHO Routefinder 550 VPN, DoS and Buffer Overflow

Name:              SOHO Routefinder 550 VPN, DoS and Buffer Overflow
Date:              11th of Marts 2003
Software affected: RF550VPN Firmware v463, v464 beta
                   (prior versions are vulnerable - other models might
be affected as well!)
Risk:              Medium/High

Legal Notice:

This Advisory is copyright by Peter Kruse. 
You may distribute this unmodified.


The opinions expressed in this advisory are my own and not that of any
The usual standard disclaimer applies, especially the fact that Peter
or Kruse Security is not liable for any damages caused by direct or
use of the information or functionality provided by this advisory or

Vendor Description:

The SOHO RouteFinder is ideal for the small branch office or
telecommuter who needs 
secure access to the corporate LAN. In addition to providing a WAN
Ethernet port 
for DSL or cable broadband Internet access, it also offers both
client-to-LAN and 
LAN-to-LAN VPN connectivity based on the IPSec protocol. It supports up
to 5 IPSec 
tunnels and provides 3DES encryption with 700K bps throughput.


The Multitech Routefinder supports login through a webinterface. By
default the
interface is enabled on the LAN side with a default login "admin" and a

The weakness is found in the web software implemented on the router. 
A user on the LAN side is able to initiate a Denial of Service attack
the router and cause it to fail to respond. This would block all
Internet trafic.
More scary the fact that it's possible for a remote hostile attacker to
execute code 
on the box. This is critical since the router is mainly used as a VPN
box for the SOHO
market. In order to attack the box from the outside it would require
that the webinterface 
is enabled on the external side. This would often be done for remote


The flaw can be exploited with a GET /OPTIONS parameter. 
By supplying an overlong URL: GET /OPTIONS AAAAA..[Ax10001]..AAAAA.HTML
HTTP/1.1 we can 
break the box. This allows a hostile user to corrupt memory with
attacker-supplied data.

When the box receives the overlong URL it will reboot.


Multitech has released new firmware that fixes this issue. 

The firmware can be downloaded from this URL:
(Please note that the firmaware that fixes this issue is still named v

12.2.2003: Vendor contacted at (sales,support,
17.2.2003: Vendor contacted - reminder
19.2.2003: Reply - working to reproduce the problem
28.2.2003: Proof of concept code supplied in order to reproduce problem
7.3.2003:  New firmware released - Tested and confirmed to fix the
11.3.2003:  Official release of this advisory

This advisory can be found online on my homepage:

Kind regards

Peter Kruse
Security Consultant
Kruse Security

Full-Disclosure - We believe in it.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC