lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 7 Jun 2004 10:43:03 -0000
From: Lance Armstrong <mishlai@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Linksys BEFSR41 DHCP vulnerability server leaks network data




On May 2nd 2004 I sent an email (detailed below) to Linksys concerning this vulnerability.  Linksys has posted the vulnerability and a fix for the Revision 3 router since then here:

http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNoPSZwX3NvcnRfYnk9JnBfZ3JpZHNvcnQ9JnBfcm93X2NudD02NTQmcF9wYWdlPTE*&p_li=

Upgrades for Revs 1 & 2 are promised soon.

More details are included in the email:
************************
Linksys,

I believe I have found a vulnerability in your BEFSR41 router.  

The vulnerability involves a buffer leakage in the DHCP service. As a result, data that has recently passed through the router can be compromised by an attacker on the LAN.

This vulnerability was tested with firmware version 1.45.7

Conditions required to exploit the vulnerability:
1) An attacking host on the LAN side of the router that can broadcast DHCP-INFORM packets to the LAN.  
2) A sniffer on the attacking host to record the router's response packets.
3) Data has recently passed between the LAN and WAN sides of the router.
4) DHCP is enabled on the router.

Details
I used a Windows 2000 DHCP server to create the DHCP-INFORM packets.  The server broadcasts the DHCP-INFORM message once an hour, or when the service is restarted.  These packets must be broadcast to the LAN side of the router.

If DHCP is enabled on the Router, it will respond to each broadcast with a packet containing leaked buffer data.  The response is sent directly to the IP address of the attacking host.  Approximately 488 bytes of the 590 byte response comes from the router's buffer, providing easily recognizable fragments of recently viewed web pages, etc.

Effects of the vulnerability:
Data that has passed through the router recently can be compromised by an attacker with access to the LAN.  This can include email sent or received, web pages viewed, and passwords (cleartext or weakly encrypted) that have been used by a LAN client to access a WAN resource or vice versa.

Interesting notes about the vulnerability that make it more difficult to detect an attacker.
- The attack does not rely on traditional methods to overcome switched networks. 

- The attacking host does not need to place its NIC in promiscuous mode.  

- It is also possible to craft DHCP-INFORM packets that are not broadcast, but directed at the router's address.

- This vulnerability also makes it possible to view data that was passed through the router at some time in the past, making it unnecessary to capture the traffic when it actually occurs.  This makes the physical aspect of security more difficult.  The victim and the attacker do not have to be on the LAN at the same time.

Here is an example of that last point:
1) A LAN user is visiting a website that requires HTTP-BASIC authentication, logs in, reads a few pages, and then closes the web browser.

2) At some point in the future, the attacker begins making DHCP-INFORM broadcasts from the LAN and collecting the buffer leakage that results.

3) Among the leaked data is the base64 encoded authorization that was used to access the HTTP-BASIC authenticated website.  The user's password has now been compromised.

Mitigating Factors

- The attacker must be on the LAN. 

- Only data which is still in the buffer can be compromised.  This limits the vulnerable data to the last few most recently visited web pages or a similar amount of data.

- Passing "unimportant" data through the router will flush the buffer and prevent the compromise of more important data.

- Cycling power to the router will clear the buffer.

- The DHCP service can be disabled on the router, removing the vulnerability entirely.

Moving Forward

It is my intention to post this vulnerability on Bugtraq in 1 month.  However, I want to give Linksys every opportunity to prepare a fix for this vulnerability before it is made public.  If more than 1 month will be required to resolve this issue, please let me know and I will work with you. 

I hope I have not left out any important details.  Please do not hesitate to contact me if you have any questions, and I wish you the best of luck in finding a solution.  Capture files of the vulnerability being exploited are available to you if you need them.

Sincerely,

Lance Armstrong
********************

The response I received from Linksys on 5/3/2004 led me to believe that I was the first to bring this to their attention, but the Linksys posting did not credit anyone specifically with finding the vulnerability.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ