[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Linksys BEFSR41 DHCP vulnerability server leaks network data
From: Lance Armstrong <mishlai () hotmail ! com>
Date: 2004-06-07 10:43:03
Message-ID: 20040607104303.26120.qmail () www ! securityfocus ! com
[Download RAW message or body]
On May 2nd 2004 I sent an email (detailed below) to Linksys concerning this \
vulnerability. Linksys has posted the vulnerability and a fix for the Revision 3 \
router since then here:
http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_ \
created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNoPSZwX3NvcnRfYnk9JnBfZ3JpZHNvcnQ9JnBfcm93X2NudD02NTQmcF9wYWdlPTE*&p_li=
Upgrades for Revs 1 & 2 are promised soon.
More details are included in the email:
************************
Linksys,
I believe I have found a vulnerability in your BEFSR41 router.
The vulnerability involves a buffer leakage in the DHCP service. As a result, data \
that has recently passed through the router can be compromised by an attacker on the \
LAN.
This vulnerability was tested with firmware version 1.45.7
Conditions required to exploit the vulnerability:
1) An attacking host on the LAN side of the router that can broadcast DHCP-INFORM \
packets to the LAN. 2) A sniffer on the attacking host to record the router's \
response packets. 3) Data has recently passed between the LAN and WAN sides of the \
router. 4) DHCP is enabled on the router.
Details
I used a Windows 2000 DHCP server to create the DHCP-INFORM packets. The server \
broadcasts the DHCP-INFORM message once an hour, or when the service is restarted. \
These packets must be broadcast to the LAN side of the router.
If DHCP is enabled on the Router, it will respond to each broadcast with a packet \
containing leaked buffer data. The response is sent directly to the IP address of \
the attacking host. Approximately 488 bytes of the 590 byte response comes from the \
router's buffer, providing easily recognizable fragments of recently viewed web \
pages, etc.
Effects of the vulnerability:
Data that has passed through the router recently can be compromised by an attacker \
with access to the LAN. This can include email sent or received, web pages viewed, \
and passwords (cleartext or weakly encrypted) that have been used by a LAN client to \
access a WAN resource or vice versa.
Interesting notes about the vulnerability that make it more difficult to detect an \
attacker.
- The attack does not rely on traditional methods to overcome switched networks.
- The attacking host does not need to place its NIC in promiscuous mode.
- It is also possible to craft DHCP-INFORM packets that are not broadcast, but \
directed at the router's address.
- This vulnerability also makes it possible to view data that was passed through the \
router at some time in the past, making it unnecessary to capture the traffic when it \
actually occurs. This makes the physical aspect of security more difficult. The \
victim and the attacker do not have to be on the LAN at the same time.
Here is an example of that last point:
1) A LAN user is visiting a website that requires HTTP-BASIC authentication, logs in, \
reads a few pages, and then closes the web browser.
2) At some point in the future, the attacker begins making DHCP-INFORM broadcasts \
from the LAN and collecting the buffer leakage that results.
3) Among the leaked data is the base64 encoded authorization that was used to access \
the HTTP-BASIC authenticated website. The user's password has now been compromised.
Mitigating Factors
- The attacker must be on the LAN.
- Only data which is still in the buffer can be compromised. This limits the \
vulnerable data to the last few most recently visited web pages or a similar amount \
of data.
- Passing "unimportant" data through the router will flush the buffer and prevent the \
compromise of more important data.
- Cycling power to the router will clear the buffer.
- The DHCP service can be disabled on the router, removing the vulnerability \
entirely.
Moving Forward
It is my intention to post this vulnerability on Bugtraq in 1 month. However, I want \
to give Linksys every opportunity to prepare a fix for this vulnerability before it \
is made public. If more than 1 month will be required to resolve this issue, please \
let me know and I will work with you.
I hope I have not left out any important details. Please do not hesitate to contact \
me if you have any questions, and I wish you the best of luck in finding a solution. \
Capture files of the vulnerability being exploited are available to you if you need \
them.
Sincerely,
Lance Armstrong
********************
The response I received from Linksys on 5/3/2004 led me to believe that I was the \
first to bring this to their attention, but the Linksys posting did not credit anyone \
specifically with finding the vulnerability.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic