SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   XAVi Router Vendors:   XAVi Technologies
XAVi X7028r Wireless ADSL Router Can Be Rebooted By Remote Users
SecurityTracker Alert ID:  1007275
SecurityTracker URL:  http://securitytracker.com/id/1007275
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 23 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): X7028r
Description:   A denial of service vulnerability was reported in the XAVi X7028r Wireless ADSL Router. A remote user on the local network can cause the device to crash and reboot.

David Madrid reported that a remote user on the internal network can send a specially crafted HTTP request to the router's Universal Plug and Play port (on tcp/280) to cause the device to to reboot.

A demonstration exploit command is provided:

perl -e 'print "GET /"."A"x1008;print "\nHost:192.168.1.1:280\n\n\n\n\n"' | netcat -v -n 192.168.1.1 80

It is reported that HTTP GET, HEAD, and TRACE commands of varying lengths can be used to trigger the flaw.

Impact:   A remote user on the internal network can cause the device to reboot.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.xavi.com.tw/Products/ADSL-7028r.htm (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Denial of service in XAVI X7028r DSL Wireless router



Product affected : Xavi X7028r DSL router

Description :

Telefonica offers to his clients in Spain and South America the possibility
of installing with his ADSL service a wireless router developed by XAVI .

This router is Universal Plug and Play capable and when it receives a
UPNP M-SEARCH request it answers offering an URL on his tcp port 280
with its characteristics and xml pages to interact with the device
As the length of the URL parameter is not checked in the HTTP request ,
sending GET , HEAD or TRACE requests with different lengths cause
a reboot on the router . PPP connection keeps active , but you will
have to disconnect and reconnect to use the connection again .

This can be used by a LAN user to cause a DOS . A remote user can
exploit this with a bit of interaction from a X7028r user ( clicking
on a link in a website vulnerable to XSS or visiting a webpage
can be enough as you can always access the upnp interface with
192.168.1.1 IP address , at least in the default instalation
from Telefonica ) .

Exploit

perl -e 'print "GET /"."A"x1008;print "\nHost:192.168.1.1:280\n\n\n\n\n"'
| netcat -v -n 192.168.1.1 80

You can read this advisory in Spanish in

http://nautopia.coolfreepages.com/vulnerabilidades/vul_xavi_7028r.htm


Regards ,

David F. Madrid ,
Madrid , Spain



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC