-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 10.31.02a:
http://www.idefense.com/advisory/10.31.02a.txt
Denial of Service Vulnerability in Linksys BEFSR41 EtherFast
Cable/DSL Router
October 31, 2002

I. BACKGROUND

Linksys Group Inc.’s EtherFast Cable/DSL Router with 4-Port Switch
“is the perfect option to connect multiple PCs to a high-speed
Broadband Internet connection or to an Ethernet back-bone. Allowing
up to 253 users, the built-in NAT technology acts as a firewall
protecting your internal network." More information about it is
available at
http://www.linksys.com/products/product.asp?prid=20&grid=23.

II. DESCRIPTION

The BEFSR41 crashes if a remote and/or local attacker accesses the
script Gozila.cgi using the router’s IP address with no arguments.
Remote exploitation requires that the router's remote management be
enabled. A sample exploit looks as follows:

http://192.168.1.1/Gozila.cgi?

III. ANALYSIS

Exploitation may be particularly dangerous, especially if the
router’s remote management capability is enabled. An attacker can
trivially crash the router by directing the URL above to its external
interface. In general, little reason exists to allow the web
management feature to be accessible on the external interface of the
router. It is feasible that this type of vulnerability exists in
older firmware versions in other Linksys hardware.

IV. DETECTION

This vulnerability affects the BEFSR41 EtherFast Cable/DSL router
with firmware earlier than version 1.42.7.

V. RECOVERY

Pressing the reset button on the back of the router should restore
normal functionality.

VI. WORKAROUND

Ensure the remote web management feature is disabled, if unnecessary.

VII. VENDOR FIX

Firmware version 1.42.7 and later fix this problem. Version 1.43,
which is the latest available version, can be found at
http://www.linksys.com/download/firmware.asp?fwid=1.

VIII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1236 to this issue.

IX. DISCLOSURE TIMELINE

08/27/2002  Issue disclosed to iDEFENSE
09/12/2002  Linksys notified
09/12/2002  iDEFENSE clients notified
09/13/2002  Response received from 
    maryann.gamboa@Linksys.com
09/19/2002  Status request from iDEFENSE
09/20/2002  Asked to delay advisory until 
    second level support can respond
10/20/2002  No response from second level support, 
    another status request to maryann.gamboa@Linksys.com
10/31/2002  Still no response from Linksys, public disclosure

X. CREDIT

Jeep 94 (lowjeep94@hotmail.com) is credited with discovering this
vulnerability.



Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide 
decision-makers, frontline security professionals and network 
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.


- -dave

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPcHhwErdNYRLCswqEQKdigCgrSe4Z3J6ygmcribEJMa2wezmk6QAoND7
EE5vWSvk+ZFP7jIvXEPBGjGe
=oTCt
-----END PGP SIGNATURE-----