[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Linksys BEFSR41 DHCP vulnerability server leaks network data
From:       Lance Armstrong <mishlai () hotmail ! com>
Date:       2004-06-07 10:43:03
Message-ID: 20040607104303.26120.qmail () www ! securityfocus ! com
[Download RAW message or body]



On May 2nd 2004 I sent an email (detailed below) to Linksys concerning this \
vulnerability.  Linksys has posted the vulnerability and a fix for the Revision 3 \
router since then here:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_ \
created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNoPSZwX3NvcnRfYnk9JnBfZ3JpZHNvcnQ9JnBfcm93X2NudD02NTQmcF9wYWdlPTE*&p_li=


Upgrades for Revs 1 & 2 are promised soon.

More details are included in the email:
************************
Linksys,

I believe I have found a vulnerability in your BEFSR41 router.  

The vulnerability involves a buffer leakage in the DHCP service. As a result, data \
that has recently passed through the router can be compromised by an attacker on the \
LAN.

This vulnerability was tested with firmware version 1.45.7

Conditions required to exploit the vulnerability:
1) An attacking host on the LAN side of the router that can broadcast DHCP-INFORM \
packets to the LAN.   2) A sniffer on the attacking host to record the router's \
response packets. 3) Data has recently passed between the LAN and WAN sides of the \
router. 4) DHCP is enabled on the router.

Details
I used a Windows 2000 DHCP server to create the DHCP-INFORM packets.  The server \
broadcasts the DHCP-INFORM message once an hour, or when the service is restarted.  \
These packets must be broadcast to the LAN side of the router.

If DHCP is enabled on the Router, it will respond to each broadcast with a packet \
containing leaked buffer data.  The response is sent directly to the IP address of \
the attacking host.  Approximately 488 bytes of the 590 byte response comes from the \
router's buffer, providing easily recognizable fragments of recently viewed web \
pages, etc.

Effects of the vulnerability:
Data that has passed through the router recently can be compromised by an attacker \
with access to the LAN.  This can include email sent or received, web pages viewed, \
and passwords (cleartext or weakly encrypted) that have been used by a LAN client to \
access a WAN resource or vice versa.

Interesting notes about the vulnerability that make it more difficult to detect an \
                attacker.
- The attack does not rely on traditional methods to overcome switched networks. 

- The attacking host does not need to place its NIC in promiscuous mode.  

- It is also possible to craft DHCP-INFORM packets that are not broadcast, but \
directed at the router's address.

- This vulnerability also makes it possible to view data that was passed through the \
router at some time in the past, making it unnecessary to capture the traffic when it \
actually occurs.  This makes the physical aspect of security more difficult.  The \
victim and the attacker do not have to be on the LAN at the same time.

Here is an example of that last point:
1) A LAN user is visiting a website that requires HTTP-BASIC authentication, logs in, \
reads a few pages, and then closes the web browser.

2) At some point in the future, the attacker begins making DHCP-INFORM broadcasts \
from the LAN and collecting the buffer leakage that results.

3) Among the leaked data is the base64 encoded authorization that was used to access \
the HTTP-BASIC authenticated website.  The user's password has now been compromised.

Mitigating Factors

- The attacker must be on the LAN. 

- Only data which is still in the buffer can be compromised.  This limits the \
vulnerable data to the last few most recently visited web pages or a similar amount \
of data.

- Passing "unimportant" data through the router will flush the buffer and prevent the \
compromise of more important data.

- Cycling power to the router will clear the buffer.

- The DHCP service can be disabled on the router, removing the vulnerability \
entirely.

Moving Forward

It is my intention to post this vulnerability on Bugtraq in 1 month.  However, I want \
to give Linksys every opportunity to prepare a fix for this vulnerability before it \
is made public.  If more than 1 month will be required to resolve this issue, please \
let me know and I will work with you. 

I hope I have not left out any important details.  Please do not hesitate to contact \
me if you have any questions, and I wish you the best of luck in finding a solution.  \
Capture files of the vulnerability being exploited are available to you if you need \
them.

Sincerely,

Lance Armstrong
********************

The response I received from Linksys on 5/3/2004 led me to believe that I was the \
first to bring this to their attention, but the Linksys posting did not credit anyone \
specifically with finding the vulnerability.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic