Linksys Multiple Models - Denial Of Service Vulnerability

Archived from groups: comp.security.firewalls (More info?)

Alan McCaig (b0f www.b0f.net), in newsgroup mailing.unix.bugtraq, has reported a
vulnerability, in multiple Linksys router models, to a denial of service attack
from the LAN interface. The vulnerability is reportably present in the models:
BEFSR41
BEFSR41 v3
BEFSRU31
BEFSR11
BEFSX41
BEFSR81 v2/v3
BEFW11S4 v3
BEFW11S4 v4

The vulnerability is based upon a long URL, which includes the router default
LAN address (here comes one long ass URL - sorry I don't believe in TinyURL et
al):
<http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=c9nkn1%249eg%241%40FreeBSD.csie.NCTU.edu.tw&rnum=8&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26q%3Dlinksys%2Bdenial%2Bof%2Bservice%26btnG%3DSearch>.

The article implies that an SX41 firmware upgrade resolves this, but I can't
find it mentioned:
<http://www.linksys.com/download/vertxt/befsx41_v1.50.18_code.txt>

If you are still using the factory default LAN settings, IMHO, this would be a
good motive to change today.

I just hope that some smarter exploit isn't developed to dynamically change the
IP address in the URL (based upon your default gateway setting) before Linksys
gets their act together (will that ever happen?).

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.
15 answers Last reply
More about linksys multiple models denial service vulnerability
  1. Archived from groups: comp.security.firewalls (More info?)

    In article <pgc1c09lbgk8hso4b9chhiu62rdb5gd4fl@4ax.com>,
    none@example.net says...
    > Alan McCaig (b0f www.b0f.net), in newsgroup mailing.unix.bugtraq, has reported a
    > vulnerability, in multiple Linksys router models, to a denial of service attack
    > from the LAN interface. The vulnerability is reportably present in the models:
    > BEFSR41
    > BEFSR41 v3
    > BEFSRU31
    > BEFSR11
    > BEFSX41
    > BEFSR81 v2/v3
    > BEFW11S4 v3
    > BEFW11S4 v4
    >
    > The vulnerability is based upon a long URL, which includes the router default
    > LAN address (here comes one long ass URL - sorry I don't believe in TinyURL et
    > al):
    > <http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=c9nkn1%249eg%241%40FreeBSD.csie.NCTU.edu.tw&rnum=8&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26q%3Dlinksys%2Bdenial%2Bof%2Bservice%26btnG%3DSearch>.
    >
    > The article implies that an SX41 firmware upgrade resolves this, but I can't
    > find it mentioned:
    > <http://www.linksys.com/download/vertxt/befsx41_v1.50.18_code.txt>
    >
    > If you are still using the factory default LAN settings, IMHO, this would be a
    > good motive to change today.
    >
    > I just hope that some smarter exploit isn't developed to dynamically change the
    > IP address in the URL (based upon your default gateway setting) before Linksys
    > gets their act together (will that ever happen?).

    Notice this part of the post:

    << If an attacker can get the admin of the router to view a link
    << Or goto a webpage that links to such a link as this.

    The user, inside the LAN, has to take action in order for it to be
    compromised - meaning that unless a user clicks on a malicious link
    there is nothing to worry about.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  2. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:

    > none@example.net says...

    (snipped)

    > > Alan McCaig has reported a vulnerability, in multiple Linksys router models

    > Notice this part of the post:

    > << If an attacker can get the admin of the router to view a link
    > << Or goto a webpage that links to such a link as this.

    > The user, inside the LAN, has to take action in order for it to be
    > compromised - meaning that unless a user clicks on a malicious link
    > there is nothing to worry about.

    A person inside a LAN risks easy exposure as well! Chances
    are good, this person would accomplish this once and only once.

    My girl, though, has yet to realize when she sends me
    prank email, her LAN machine ip address is stamped upon it.
    Not gonna tell her. She is a darling, now that she is no
    longer a teenager.

    I know of no firmware device, router or firewall, which does
    not have some vulnerabilities. All have weak points.

    Linksys is a great product for an affordable price. We have
    both a Linksys router and Linksys hub here, and are very
    pleased with both. Even use their LAN cards which work
    with perfection. None can argue Linksys products are
    priced too high.

    For trivia, our Linksys products have never crashed nor
    failed. Our regional WAN/LAN Cisco routers crash once
    or twice a month, while enjoying a thirty-thousand
    dollar price tag.

    Another "exploit" which cannot be repaired, and worthy
    of note, not long back I flashed an upgrade bin into
    our Linksys router. Our Motorola modem crashed and
    was found to be beyond repair. Never suspected a flash
    bin file aimed at a specific LAN address, the address
    of our router, would also flash a modem into oblivion,
    specifically a Motorola modem.

    We have since switched to an Orion modem.

    Disconnect your external devices before bin flashing!


    Purl Gurl
  3. Archived from groups: comp.security.firewalls (More info?)

    On Fri, 04 Jun 2004 19:55:29 GMT, Leythos <void@nowhere.com> wrote:

    >Notice this part of the post:
    >
    ><< If an attacker can get the admin of the router to view a link
    ><< Or goto a webpage that links to such a link as this.
    >
    >The user, inside the LAN, has to take action in order for it to be
    >compromised - meaning that unless a user clicks on a malicious link
    >there is nothing to worry about.

    Leythos,

    You do know that crafting URLs so the payload is not immediately apparent is not
    uncommon. There are multiple vulnerabilities in various browsers, such as
    InfernalExcrement, that would allow a hostile website to pass a dangerous URL to
    many unwary computer owners. Even the wary, such as myself, have been known to
    blindly click where it is unwise. EVERYBODY makes mistakes!

    God forbid that a mass mailing worm should include a crafted URL in its payload,
    and email opened in LookoutExpress with preview mode on.

    The best defense is to change your LAN settings. I do this out of principle.
    I'm not too sure a lot of other Linky owners do though.

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
  4. Archived from groups: comp.security.firewalls (More info?)

    In article <hpr1c0p22nc51ab6dc29tgkcfrtr77cf2o@4ax.com>,
    none@example.net says...
    > The best defense is to change your LAN settings. I do this out of principle.
    > I'm not too sure a lot of other Linky owners do though.

    I also change the default subnet. I'm willing to bet that the number of
    users protected by uncompromised Linksys routers (not to mention all
    other brands) is far greater than those that are actually compromised by
    the exploit. That still makes it a good border device in my book, and as
    I said before, that's only part of it.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  5. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 05 Jun 2004 02:29:10 GMT, Leythos <void@nowhere.com> wrote:

    >In article <hpr1c0p22nc51ab6dc29tgkcfrtr77cf2o@4ax.com>,
    >none@example.net says...
    >> The best defense is to change your LAN settings. I do this out of principle.
    >> I'm not too sure a lot of other Linky owners do though.
    >
    >I also change the default subnet. I'm willing to bet that the number of
    >users protected by uncompromised Linksys routers (not to mention all
    >other brands) is far greater than those that are actually compromised by
    >the exploit. That still makes it a good border device in my book, and as
    >I said before, that's only part of it.

    OK, we agree there. I'm not about to stop recommending the SX41 to my friends.
    But Linksys owners, and owners of other NAT routers, would be better off
    changing their settings too.

    And I still hope Linksys can get their act together, and provide reliable and
    stable firmware for their hardware.

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
  6. Archived from groups: comp.security.firewalls (More info?)

    I am doing some troubleshooting on my SR41 router. Can anyone verify for me
    whether they can access their router if they try changing the router IP's
    third octet to anything else but "1"? I tried changing my default IP from
    192.168.1.1 to others but if I change the 3rd octet I can no longer access
    the router and have to do a reset. I realize the first 2 are fixed but am
    wondering if one can chage the third since it has a box to allow changing,
    just as the first 2 octets do as well. Changing the last octet seems to
    work ok.
  7. Archived from groups: comp.security.firewalls (More info?)

    On Sat, 5 Jun 2004 14:39:44 -0500, "Jbob" <nobody@SpamCox.net> wrote:

    >I am doing some troubleshooting on my SR41 router. Can anyone verify for me
    >whether they can access their router if they try changing the router IP's
    >third octet to anything else but "1"? I tried changing my default IP from
    >192.168.1.1 to others but if I change the 3rd octet I can no longer access
    >the router and have to do a reset. I realize the first 2 are fixed but am
    >wondering if one can chage the third since it has a box to allow changing,
    >just as the first 2 octets do as well. Changing the last octet seems to
    >work ok.

    Jbob,

    My third and fourth octets are both non-default. Router access works fine.

    Cheers,
    Chuck
    Paranoia comes from experience - and is not necessarily a bad thing.
  8. Archived from groups: comp.security.firewalls (More info?)

    In article <QMqdnYqFE98cvF_dRVn-vA@comcast.com>, nobody@SpamCox.net
    says...
    > I am doing some troubleshooting on my SR41 router. Can anyone verify for me
    > whether they can access their router if they try changing the router IP's
    > third octet to anything else but "1"? I tried changing my default IP from
    > 192.168.1.1 to others but if I change the 3rd octet I can no longer access
    > the router and have to do a reset. I realize the first 2 are fixed but am
    > wondering if one can chage the third since it has a box to allow changing,
    > just as the first 2 octets do as well. Changing the last octet seems to
    > work ok.

    If you change the subnet you have to do an IPCONFIG /RELEASE and then
    IPCONFIG /RENEW on your machine or it won't be in the NEW subnet that
    you just configured.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  9. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b2c3237a3678b1b98a5f0@news-server.columbus.rr.com...
    >
    > If you change the subnet you have to do an IPCONFIG /RELEASE and then
    > IPCONFIG /RENEW on your machine or it won't be in the NEW subnet that
    > you just configured.
    >
    > --
    > spamfree999@rrohio.com
    > (Remove 999 to reply to me)

    Yet that was the problem. Funny thing though, I could change the last octet
    only and could still access the router but if I changed the third octet it
    wouldn't work anymore. But I got it figured out now.

    Thanks again
  10. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:

    > nobody wrote:

    > > I am doing some troubleshooting on my SR41 router. Can anyone verify for me
    > > whether they can access their router if they try changing the router IP's
    > > third octet to anything else but "1"? I tried changing my default IP from
    > > 192.168.1.1 to others but if I change the 3rd octet I can no longer access
    > > the router and have to do a reset.

    > If you change the subnet you have to do an IPCONFIG /RELEASE and then
    > IPCONFIG /RENEW on your machine or it won't be in the NEW subnet that
    > you just configured.

    Some machines require a manual configuration and reboot. An item
    many forget, I have forgotten this, is when you change your router
    address, you also change your LAN gateway address. Suddenly, nothing
    works until you enter your new gateway address in each LAN machine.


    Purl Gurl
    --
    Learn To Speak, Read And Write Choctaw!
    http://www.purlgurl.net/~choctaw/
  11. Archived from groups: comp.security.firewalls (More info?)

    In article <frOdnRY6e-7k6V_dRVn-vg@comcast.com>, nobody@SpamCox.net
    says...
    > "Leythos" <void@nowhere.com> wrote in message
    > news:MPG.1b2c3237a3678b1b98a5f0@news-server.columbus.rr.com...
    > >
    > > If you change the subnet you have to do an IPCONFIG /RELEASE and then
    > > IPCONFIG /RENEW on your machine or it won't be in the NEW subnet that
    > > you just configured.
    > >
    > > --
    > > spamfree999@rrohio.com
    > > (Remove 999 to reply to me)
    >
    > Yet that was the problem. Funny thing though, I could change the last octet
    > only and could still access the router but if I changed the third octet it
    > wouldn't work anymore. But I got it figured out now.

    OK, The last (right most) is in the same subnet as your computer, but
    since you use the last octet number you only need to change the IP that
    you are trying to reach - meaning that you didn't change subnets when
    you changed the last octet, only the IP of the router. I suspect that
    you would not be able to get to the internet since your previously
    provided default gateway is now at the new IP.

    When you change the third octet you are changing the subnet of the
    network that the router is in - and your PC is not in that subnet...

    192.168.1.1 / 255.255.255.0
    192.168.1.10 / 255.255.255.0
    192.168.1.200 / 255.255.255.0

    Any computer on the above can see any other computer on the above.

    192.168.1.1 / 255.255.255.0
    192.168.2.10 / 255.255.255.0
    192.168.3.200 / 255.255.255.0

    None of the above computers can see each other without routing rules,
    they are in different subnets.

    Hope that helps.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  12. Archived from groups: comp.security.firewalls (More info?)

    > OK, The last (right most) is in the same subnet as your computer, but
    > since you use the last octet number you only need to change the IP that
    > you are trying to reach - meaning that you didn't change subnets when
    > you changed the last octet, only the IP of the router. I suspect that
    > you would not be able to get to the internet since your previously
    > provided default gateway is now at the new IP.
    >
    > When you change the third octet you are changing the subnet of the
    > network that the router is in - and your PC is not in that subnet...
    >
    > 192.168.1.1 / 255.255.255.0
    > 192.168.1.10 / 255.255.255.0
    > 192.168.1.200 / 255.255.255.0
    >
    > Any computer on the above can see any other computer on the above.
    >
    > 192.168.1.1 / 255.255.255.0
    > 192.168.2.10 / 255.255.255.0
    > 192.168.3.200 / 255.255.255.0
    >
    > None of the above computers can see each other without routing rules,
    > they are in different subnets.

    I suppose I'm a little weak on subnet stuff. What I am running now is
    192.168.xxx.xxx(not default any more but both third and fourth octet are
    above 128) for IP and 255.255.255.128 for subnet. Connections seems to be
    working great now. I still might need to make some more changes based on
    what you said though.

    I guess I still need to bone up on subnet stuff.
  13. Archived from groups: comp.security.firewalls (More info?)

    Jbob wrote:

    (snipped)

    > I guess I still need to bone up on subnet stuff.


    This is a great site for learning about subnets,

    http://www.freesoft.org/CIE/Course/Subnet/


    An excellent tool page for a variety of testing,

    http://www.dnsstuff.com/


    Purl Gurl
    --
    Learn To Speak, Read And Write Choctaw!
    http://www.purlgurl.net/~choctaw/
  14. Archived from groups: comp.security.firewalls (More info?)

    Roger that! I've got DNSstuff as a favorite already!!
  15. Archived from groups: comp.security.firewalls (More info?)

    In article <bpqdnbcxXeG93V7dRVn-vA@comcast.com>, nobody@SpamCox.net
    says...
    > > OK, The last (right most) is in the same subnet as your computer, but
    > > since you use the last octet number you only need to change the IP that
    > > you are trying to reach - meaning that you didn't change subnets when
    > > you changed the last octet, only the IP of the router. I suspect that
    > > you would not be able to get to the internet since your previously
    > > provided default gateway is now at the new IP.
    > >
    > > When you change the third octet you are changing the subnet of the
    > > network that the router is in - and your PC is not in that subnet...
    > >
    > > 192.168.1.1 / 255.255.255.0
    > > 192.168.1.10 / 255.255.255.0
    > > 192.168.1.200 / 255.255.255.0
    > >
    > > Any computer on the above can see any other computer on the above.
    > >
    > > 192.168.1.1 / 255.255.255.0
    > > 192.168.2.10 / 255.255.255.0
    > > 192.168.3.200 / 255.255.255.0
    > >
    > > None of the above computers can see each other without routing rules,
    > > they are in different subnets.
    >
    > I suppose I'm a little weak on subnet stuff. What I am running now is
    > 192.168.xxx.xxx(not default any more but both third and fourth octet are
    > above 128) for IP and 255.255.255.128 for subnet. Connections seems to be
    > working great now. I still might need to make some more changes based on
    > what you said though.
    >
    > I guess I still need to bone up on subnet stuff.

    With a mask of 255.255.255.0, the 4th octet is used as the devices IP
    address, the other three identify what subnet the device is in.

    If you were to set the device to 192.168.200.1 and then renew your PC's
    IP, you would still be able to access the internet and the script/hack
    would not work against you. 200 was just a random number I picked -
    anything other than 0 or 1 would be good also.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
Ask a new question

Read More

Firewalls Linksys Networking Product