lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200408020710.08206.ripe@7a69ezine.org>
Date: Mon, 2 Aug 2004 07:09:44 +0200
From: Albert Puigsech Galicia <ripe@...9ezine.org>
To: bugtraq@...urityfocus.com
Subject: 7a69Adv#13 - USRobotics AP Wireless Denial of Service


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------------------------------------------------------------------
  7a69ezine Advisories                               7a69Adv#13
- ------------------------------------------------------------------
  http://www.7a69ezine.org                            [02/08/2004]
- ------------------------------------------------------------------

Title:                  USRobotics AP Wireless Denial of Service

Author:              Albert Puigsech Galicia - <ripe@...9ezine.org>

Software:           Embedded HTTP server

Versions:           1.21h

Remote:             yes

Exploit:              yes

Severity:            High

- ------------------------------------------------------------------



I. Introduction

	USRobotics is an important company that build lot of network devices, like 
modems, wireless cards or wireless access points. It builds also Robots (as 
you can see on "I, Robot" film). To get more information about this company 
you can visit the official website at http://www.usrobotics.com.



II. Description
	
	The USR808054 wireless access point may be administered using HTTP protocol, 
so the firmwire includes a little HTTP server. The last version of this 
server has a critical buffer overflow that allow malicious users on the 
network to produce a denial of service or the execution of arbitrary code.


III. Exploit

	A buffer overflow appears on HTTP version string in GET request. You can do 
the request without administrator password, so all users on the network 
allowed to connect to http port (all by default) can exploit this issue. 

	This is a exploit code using perl:

	bash ~ $ perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap 80

	It crashes down the access point and disconnect all wireless users to the 
network. May be also posible (with knowledge about the architecture used by 
USRobotics) to exploit the vulnerability to execute arbitrary code and get 
total control to the device.


IV. Patch

	Not yet.


V. Timeline

19/07/2004 - Notified to spain_modemsupport@....com
                 - No reply


VI. Extra data

	I have only tested this vulnerability on my USR808054, but other USR products 
may be also affected.




- --
- -----------------------------------------------------------------------
Albert Puigsech Galicia

http://www.7a69ezine.org/~apuigsech
- -----------------------------------------------------------------------
Este e-mail  puede contener  información confidencial y/o privilegiada.
Si el presente mensaje no  va dirigido a  su persona  (o lo ha recibido
por error) por favor,  notifíquelo inmediatamente  al emisor y destruya
este e-mail. Cualquier divulgación,  copia o distribución no autorizada
del material contenido en este e-mail queda prohibida.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBDcyYiLW5f5WBvGcRAmQAAJ95CHJnT1AKiQ/mq6lXhJbGspIdNwCdEC+b
agHJzXOTEyiGwq+8+y5zzOg=
=6YBo
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ