SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   U.S. Robotics Router Vendors:   U.S. Robotics
U.S. Robotics Wireless Router Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1010839
SecurityTracker URL:  http://securitytracker.com/id/1010839
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 2 2004
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): USR 808054; Firmware 1.21h
Description:   A denial of service vulnerability was reported in a U.S. Robotics wireless router (model 808054). A remote user can cause the router to crash and may be able to execute arbitrary code on the router.

Albert Puigsech Galicia reported that a remote user can connect to the router's web administration port and issue a specially crafted HTTP GET request to trigger an overflow and cause the device to crash.

A demonstration exploit command is provided:

bash ~ $ perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap 80

A remote user may be able to cause arbitrary code to be executed [but code execution was not confirmed in the report].

The vendor was reportedly notified on July 19, 2004.

Impact:   A remote user can cause the router to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.usr.com/products/networking/router-product.asp?sku=USR8054 (Links to External Site)
Cause:   Boundary error

Message History:   None.


 Source Message Contents

Subject:  7a69Adv#13 - USRobotics AP Wireless Denial of Service


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------------------------------------------------------------------
- ------------------------------------------------------------------
- ------------------------------------------------------------------

Title:                  USRobotics AP Wireless Denial of Service

Author:              Albert Puigsech Galicia - <ripe@7a69ezine.org>

Software:           Embedded HTTP server

Versions:           1.21h

Remote:             yes

Exploit:              yes

Severity:            High

- ------------------------------------------------------------------



I. Introduction

	USRobotics is an important company that build lot of network devices, like 
modems, wireless cards or wireless access points. It builds also Robots (as 
you can see on "I, Robot" film). To get more information about this company 
you can visit the official website at http://www.usrobotics.com.



II. Description
	
	The USR808054 wireless access point may be administered using HTTP protocol, 
so the firmwire includes a little HTTP server. The last version of this 
server has a critical buffer overflow that allow malicious users on the 
network to produce a denial of service or the execution of arbitrary code.


III. Exploit

	A buffer overflow appears on HTTP version string in GET request. You can do 
the request without administrator password, so all users on the network 
allowed to connect to http port (all by default) can exploit this issue. 

	This is a exploit code using perl:

	bash ~ $ perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap 80

	It crashes down the access point and disconnect all wireless users to the 
network. May be also posible (with knowledge about the architecture used by 
USRobotics) to exploit the vulnerability to execute arbitrary code and get 
total control to the device.


IV. Patch

	Not yet.


V. Timeline

19/07/2004 - Notified to spain_modemsupport@usr.com
                 - No reply


VI. Extra data

	I have only tested this vulnerability on my USR808054, but other USR products 
may be also affected.




- --
- -----------------------------------------------------------------------
Albert Puigsech Galicia

http://www.7a69ezine.org/~apuigsech
- -----------------------------------------------------------------------
del material contenido en este e-mail queda prohibida.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBDcyYiLW5f5WBvGcRAmQAAJ95CHJnT1AKiQ/mq6lXhJbGspIdNwCdEC+b
agHJzXOTEyiGwq+8+y5zzOg=
=6YBo
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC