Sign in with
Sign up | Sign in
Your question

Linksys Multiple Models - Denial Of Service Vulnerability

Tags:
  • Firewalls
  • Linksys
  • Networking
  • Product
Last response: in Networking
Share
June 4, 2004 4:53:05 PM

Archived from groups: comp.security.firewalls (More info?)

Alan McCaig (b0f www.b0f.net), in newsgroup mailing.unix.bugtraq, has reported a
vulnerability, in multiple Linksys router models, to a denial of service attack
from the LAN interface. The vulnerability is reportably present in the models:
BEFSR41
BEFSR41 v3
BEFSRU31
BEFSR11
BEFSX41
BEFSR81 v2/v3
BEFW11S4 v3
BEFW11S4 v4

The vulnerability is based upon a long URL, which includes the router default
LAN address (here comes one long ass URL - sorry I don't believe in TinyURL et
al):
<http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&thre...;.

The article implies that an SX41 firmware upgrade resolves this, but I can't
find it mentioned:
<http://www.linksys.com/download/vertxt/befsx41_v1.50.18...;

If you are still using the factory default LAN settings, IMHO, this would be a
good motive to change today.

I just hope that some smarter exploit isn't developed to dynamically change the
IP address in the URL (based upon your default gateway setting) before Linksys
gets their act together (will that ever happen?).

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

More about : linksys multiple models denial service vulnerability

Anonymous
June 4, 2004 11:55:29 PM

Archived from groups: comp.security.firewalls (More info?)

In article <pgc1c09lbgk8hso4b9chhiu62rdb5gd4fl@4ax.com>,
none@example.net says...
> Alan McCaig (b0f www.b0f.net), in newsgroup mailing.unix.bugtraq, has reported a
> vulnerability, in multiple Linksys router models, to a denial of service attack
> from the LAN interface. The vulnerability is reportably present in the models:
> BEFSR41
> BEFSR41 v3
> BEFSRU31
> BEFSR11
> BEFSX41
> BEFSR81 v2/v3
> BEFW11S4 v3
> BEFW11S4 v4
>
> The vulnerability is based upon a long URL, which includes the router default
> LAN address (here comes one long ass URL - sorry I don't believe in TinyURL et
> al):
> <http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&thre...;.
>
> The article implies that an SX41 firmware upgrade resolves this, but I can't
> find it mentioned:
> <http://www.linksys.com/download/vertxt/befsx41_v1.50.18...;
>
> If you are still using the factory default LAN settings, IMHO, this would be a
> good motive to change today.
>
> I just hope that some smarter exploit isn't developed to dynamically change the
> IP address in the URL (based upon your default gateway setting) before Linksys
> gets their act together (will that ever happen?).

Notice this part of the post:

<< If an attacker can get the admin of the router to view a link
<< Or goto a webpage that links to such a link as this.

The user, inside the LAN, has to take action in order for it to be
compromised - meaning that unless a user clicks on a malicious link
there is nothing to worry about.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
June 4, 2004 11:55:30 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> none@example.net says...

(snipped)

> > Alan McCaig has reported a vulnerability, in multiple Linksys router models

> Notice this part of the post:

> << If an attacker can get the admin of the router to view a link
> << Or goto a webpage that links to such a link as this.

> The user, inside the LAN, has to take action in order for it to be
> compromised - meaning that unless a user clicks on a malicious link
> there is nothing to worry about.

A person inside a LAN risks easy exposure as well! Chances
are good, this person would accomplish this once and only once.

My girl, though, has yet to realize when she sends me
prank email, her LAN machine ip address is stamped upon it.
Not gonna tell her. She is a darling, now that she is no
longer a teenager.

I know of no firmware device, router or firewall, which does
not have some vulnerabilities. All have weak points.

Linksys is a great product for an affordable price. We have
both a Linksys router and Linksys hub here, and are very
pleased with both. Even use their LAN cards which work
with perfection. None can argue Linksys products are
priced too high.

For trivia, our Linksys products have never crashed nor
failed. Our regional WAN/LAN Cisco routers crash once
or twice a month, while enjoying a thirty-thousand
dollar price tag.

Another "exploit" which cannot be repaired, and worthy
of note, not long back I flashed an upgrade bin into
our Linksys router. Our Motorola modem crashed and
was found to be beyond repair. Never suspected a flash
bin file aimed at a specific LAN address, the address
of our router, would also flash a modem into oblivion,
specifically a Motorola modem.

We have since switched to an Orion modem.

Disconnect your external devices before bin flashing!


Purl Gurl
June 4, 2004 11:55:30 PM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 04 Jun 2004 19:55:29 GMT, Leythos <void@nowhere.com> wrote:

>Notice this part of the post:
>
><< If an attacker can get the admin of the router to view a link
><< Or goto a webpage that links to such a link as this.
>
>The user, inside the LAN, has to take action in order for it to be
>compromised - meaning that unless a user clicks on a malicious link
>there is nothing to worry about.

Leythos,

You do know that crafting URLs so the payload is not immediately apparent is not
uncommon. There are multiple vulnerabilities in various browsers, such as
InfernalExcrement, that would allow a hostile website to pass a dangerous URL to
many unwary computer owners. Even the wary, such as myself, have been known to
blindly click where it is unwise. EVERYBODY makes mistakes!

God forbid that a mass mailing worm should include a crafted URL in its payload,
and email opened in LookoutExpress with preview mode on.

The best defense is to change your LAN settings. I do this out of principle.
I'm not too sure a lot of other Linky owners do though.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Anonymous
June 5, 2004 6:29:10 AM

Archived from groups: comp.security.firewalls (More info?)

In article <hpr1c0p22nc51ab6dc29tgkcfrtr77cf2o@4ax.com>,
none@example.net says...
> The best defense is to change your LAN settings. I do this out of principle.
> I'm not too sure a lot of other Linky owners do though.

I also change the default subnet. I'm willing to bet that the number of
users protected by uncompromised Linksys routers (not to mention all
other brands) is far greater than those that are actually compromised by
the exploit. That still makes it a good border device in my book, and as
I said before, that's only part of it.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 5, 2004 6:29:11 AM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 05 Jun 2004 02:29:10 GMT, Leythos <void@nowhere.com> wrote:

>In article <hpr1c0p22nc51ab6dc29tgkcfrtr77cf2o@4ax.com>,
>none@example.net says...
>> The best defense is to change your LAN settings. I do this out of principle.
>> I'm not too sure a lot of other Linky owners do though.
>
>I also change the default subnet. I'm willing to bet that the number of
>users protected by uncompromised Linksys routers (not to mention all
>other brands) is far greater than those that are actually compromised by
>the exploit. That still makes it a good border device in my book, and as
>I said before, that's only part of it.

OK, we agree there. I'm not about to stop recommending the SX41 to my friends.
But Linksys owners, and owners of other NAT routers, would be better off
changing their settings too.

And I still hope Linksys can get their act together, and provide reliable and
stable firmware for their hardware.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
June 5, 2004 6:39:44 PM

Archived from groups: comp.security.firewalls (More info?)

I am doing some troubleshooting on my SR41 router. Can anyone verify for me
whether they can access their router if they try changing the router IP's
third octet to anything else but "1"? I tried changing my default IP from
192.168.1.1 to others but if I change the 3rd octet I can no longer access
the router and have to do a reset. I realize the first 2 are fixed but am
wondering if one can chage the third since it has a box to allow changing,
just as the first 2 octets do as well. Changing the last octet seems to
work ok.
June 5, 2004 8:30:13 PM

Archived from groups: comp.security.firewalls (More info?)

On Sat, 5 Jun 2004 14:39:44 -0500, "Jbob" <nobody@SpamCox.net> wrote:

>I am doing some troubleshooting on my SR41 router. Can anyone verify for me
>whether they can access their router if they try changing the router IP's
>third octet to anything else but "1"? I tried changing my default IP from
>192.168.1.1 to others but if I change the 3rd octet I can no longer access
>the router and have to do a reset. I realize the first 2 are fixed but am
>wondering if one can chage the third since it has a box to allow changing,
>just as the first 2 octets do as well. Changing the last octet seems to
>work ok.

Jbob,

My third and fourth octets are both non-default. Router access works fine.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
Anonymous
June 6, 2004 4:34:28 AM

Archived from groups: comp.security.firewalls (More info?)

In article <QMqdnYqFE98cvF_dRVn-vA@comcast.com>, nobody@SpamCox.net
says...
> I am doing some troubleshooting on my SR41 router. Can anyone verify for me
> whether they can access their router if they try changing the router IP's
> third octet to anything else but "1"? I tried changing my default IP from
> 192.168.1.1 to others but if I change the 3rd octet I can no longer access
> the router and have to do a reset. I realize the first 2 are fixed but am
> wondering if one can chage the third since it has a box to allow changing,
> just as the first 2 octets do as well. Changing the last octet seems to
> work ok.

If you change the subnet you have to do an IPCONFIG /RELEASE and then
IPCONFIG /RENEW on your machine or it won't be in the NEW subnet that
you just configured.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 6, 2004 4:34:29 AM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b2c3237a3678b1b98a5f0@news-server.columbus.rr.com...
>
> If you change the subnet you have to do an IPCONFIG /RELEASE and then
> IPCONFIG /RENEW on your machine or it won't be in the NEW subnet that
> you just configured.
>
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

Yet that was the problem. Funny thing though, I could change the last octet
only and could still access the router but if I changed the third octet it
wouldn't work anymore. But I got it figured out now.

Thanks again
Anonymous
June 6, 2004 4:34:29 AM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

> nobody wrote:

> > I am doing some troubleshooting on my SR41 router. Can anyone verify for me
> > whether they can access their router if they try changing the router IP's
> > third octet to anything else but "1"? I tried changing my default IP from
> > 192.168.1.1 to others but if I change the 3rd octet I can no longer access
> > the router and have to do a reset.

> If you change the subnet you have to do an IPCONFIG /RELEASE and then
> IPCONFIG /RENEW on your machine or it won't be in the NEW subnet that
> you just configured.

Some machines require a manual configuration and reboot. An item
many forget, I have forgotten this, is when you change your router
address, you also change your LAN gateway address. Suddenly, nothing
works until you enter your new gateway address in each LAN machine.


Purl Gurl
--
Learn To Speak, Read And Write Choctaw!
http://www.purlgurl.net/~choctaw/
Anonymous
June 6, 2004 5:49:52 PM

Archived from groups: comp.security.firewalls (More info?)

In article <frOdnRY6e-7k6V_dRVn-vg@comcast.com>, nobody@SpamCox.net
says...
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b2c3237a3678b1b98a5f0@news-server.columbus.rr.com...
> >
> > If you change the subnet you have to do an IPCONFIG /RELEASE and then
> > IPCONFIG /RENEW on your machine or it won't be in the NEW subnet that
> > you just configured.
> >
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
>
> Yet that was the problem. Funny thing though, I could change the last octet
> only and could still access the router but if I changed the third octet it
> wouldn't work anymore. But I got it figured out now.

OK, The last (right most) is in the same subnet as your computer, but
since you use the last octet number you only need to change the IP that
you are trying to reach - meaning that you didn't change subnets when
you changed the last octet, only the IP of the router. I suspect that
you would not be able to get to the internet since your previously
provided default gateway is now at the new IP.

When you change the third octet you are changing the subnet of the
network that the router is in - and your PC is not in that subnet...

192.168.1.1 / 255.255.255.0
192.168.1.10 / 255.255.255.0
192.168.1.200 / 255.255.255.0

Any computer on the above can see any other computer on the above.

192.168.1.1 / 255.255.255.0
192.168.2.10 / 255.255.255.0
192.168.3.200 / 255.255.255.0

None of the above computers can see each other without routing rules,
they are in different subnets.

Hope that helps.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
June 6, 2004 5:49:53 PM

Archived from groups: comp.security.firewalls (More info?)

> OK, The last (right most) is in the same subnet as your computer, but
> since you use the last octet number you only need to change the IP that
> you are trying to reach - meaning that you didn't change subnets when
> you changed the last octet, only the IP of the router. I suspect that
> you would not be able to get to the internet since your previously
> provided default gateway is now at the new IP.
>
> When you change the third octet you are changing the subnet of the
> network that the router is in - and your PC is not in that subnet...
>
> 192.168.1.1 / 255.255.255.0
> 192.168.1.10 / 255.255.255.0
> 192.168.1.200 / 255.255.255.0
>
> Any computer on the above can see any other computer on the above.
>
> 192.168.1.1 / 255.255.255.0
> 192.168.2.10 / 255.255.255.0
> 192.168.3.200 / 255.255.255.0
>
> None of the above computers can see each other without routing rules,
> they are in different subnets.

I suppose I'm a little weak on subnet stuff. What I am running now is
192.168.xxx.xxx(not default any more but both third and fourth octet are
above 128) for IP and 255.255.255.128 for subnet. Connections seems to be
working great now. I still might need to make some more changes based on
what you said though.

I guess I still need to bone up on subnet stuff.
June 6, 2004 5:49:55 PM

Archived from groups: comp.security.firewalls (More info?)

Roger that! I've got DNSstuff as a favorite already!!
Anonymous
June 6, 2004 8:17:14 PM

Archived from groups: comp.security.firewalls (More info?)

In article <bpqdnbcxXeG93V7dRVn-vA@comcast.com>, nobody@SpamCox.net
says...
> > OK, The last (right most) is in the same subnet as your computer, but
> > since you use the last octet number you only need to change the IP that
> > you are trying to reach - meaning that you didn't change subnets when
> > you changed the last octet, only the IP of the router. I suspect that
> > you would not be able to get to the internet since your previously
> > provided default gateway is now at the new IP.
> >
> > When you change the third octet you are changing the subnet of the
> > network that the router is in - and your PC is not in that subnet...
> >
> > 192.168.1.1 / 255.255.255.0
> > 192.168.1.10 / 255.255.255.0
> > 192.168.1.200 / 255.255.255.0
> >
> > Any computer on the above can see any other computer on the above.
> >
> > 192.168.1.1 / 255.255.255.0
> > 192.168.2.10 / 255.255.255.0
> > 192.168.3.200 / 255.255.255.0
> >
> > None of the above computers can see each other without routing rules,
> > they are in different subnets.
>
> I suppose I'm a little weak on subnet stuff. What I am running now is
> 192.168.xxx.xxx(not default any more but both third and fourth octet are
> above 128) for IP and 255.255.255.128 for subnet. Connections seems to be
> working great now. I still might need to make some more changes based on
> what you said though.
>
> I guess I still need to bone up on subnet stuff.

With a mask of 255.255.255.0, the 4th octet is used as the devices IP
address, the other three identify what subnet the device is in.

If you were to set the device to 192.168.200.1 and then renew your PC's
IP, you would still be able to access the internet and the script/hack
would not work against you. 200 was just a random number I picked -
anything other than 0 or 1 would be good also.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
!