Multi-Tech's SOHO RouteFinder 550 VPN Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1006267|
SecurityTracker URL: http://securitytracker.com/id/1006267
(Links to External Site)
Date: Mar 11 2003
Denial of service via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Several vulnerabilities were reported in the Multi-Tech SOHO RouteFinder 550 VPN gateway device. A remote user on the local area network (LAN) can execute arbitrary code on the system and can deny service to other router users.|
Kruse Security reported that a remote user on the LAN-side interface can cause the router to stop responding to traffic by supplying a long HTTP GET OPTIONS request:
GET /OPTIONS AAAAA..[Ax10001]..AAAAA.HTML HTTP/1.1
This will reportedly cause the router to reboot. By supplying this type of request repeatedly, prolonged denial of service conditions can be achieved.
A remote user can also execute code on the device by specially crafting the request, according to the report.
These vulnerabilities can only be exploited from the external interface only if remote management has been enabled.
It is also reported that the default configuration of the device is to enable web-based management on the LAN-side interface with a default username of "admin" and a blank password.
A remote user on the LAN-side interface can cause the router to crash and then reboot or can cause the router to execute arbitrary code. A remote user on the LAN-side interface can also gain administrative access to the router in the default configuration if the administrator password has not been set.|
The vendor has reportedly released a fixed version of the firmware (it apparently is also named version 4.63, which is the same number as one of the affected versions). The fix is available at:|
Vendor URL: www.multitech.com/PRODUCTS/SOHO_VPN/ (Links to External Site)
Source Message Contents
Subject: [Full-Disclosure] SOHO Routefinder 550 VPN, DoS and Buffer Overflow|
Name: SOHO Routefinder 550 VPN, DoS and Buffer Overflow
Date: 11th of Marts 2003
Software affected: RF550VPN Firmware v463, v464 beta
(prior versions are vulnerable - other models might
be affected as well!)
This Advisory is copyright by Peter Kruse.
You may distribute this unmodified.
The opinions expressed in this advisory are my own and not that of any
The usual standard disclaimer applies, especially the fact that Peter
or Kruse Security is not liable for any damages caused by direct or
use of the information or functionality provided by this advisory or
The SOHO RouteFinder is ideal for the small branch office or
telecommuter who needs
secure access to the corporate LAN. In addition to providing a WAN
for DSL or cable broadband Internet access, it also offers both
LAN-to-LAN VPN connectivity based on the IPSec protocol. It supports up
to 5 IPSec
tunnels and provides 3DES encryption with 700K bps throughput.
The Multitech Routefinder supports login through a webinterface. By
interface is enabled on the LAN side with a default login "admin" and a
The weakness is found in the web software implemented on the router.
A user on the LAN side is able to initiate a Denial of Service attack
the router and cause it to fail to respond. This would block all
More scary the fact that it's possible for a remote hostile attacker to
on the box. This is critical since the router is mainly used as a VPN
box for the SOHO
market. In order to attack the box from the outside it would require
that the webinterface
is enabled on the external side. This would often be done for remote
The flaw can be exploited with a GET /OPTIONS parameter.
By supplying an overlong URL: GET /OPTIONS AAAAA..[Ax10001]..AAAAA.HTML
HTTP/1.1 we can
break the box. This allows a hostile user to corrupt memory with
When the box receives the overlong URL it will reboot.
Multitech has released new firmware that fixes this issue.
The firmware can be downloaded from this URL:
(Please note that the firmaware that fixes this issue is still named v
12.2.2003: Vendor contacted at (sales,support,email@example.com)
17.2.2003: Vendor contacted - reminder
19.2.2003: Reply - working to reproduce the problem
28.2.2003: Proof of concept code supplied in order to reproduce problem
7.3.2003: New firmware released - Tested and confirmed to fix the
11.3.2003: Official release of this advisory
This advisory can be found online on my homepage:
Full-Disclosure - We believe in it.