lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAD-LzdQjQ3OVcH9+i101++1dNT4OnZwW6eH_jtg1J08R4d5EeA@mail.gmail.com>
Date: Mon, 1 Jul 2013 23:50:35 -0400
From: kyle Lovett <krlovett@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: Linksys EA - 2700, 3500, 4200, 4500 w/ Lighttpd 1.4.28
 Unauthenticated Remote Administration Access

Vulnerable products : Linksys EA2700, EA3500, E4200, EA4500 using
lighttpd 1.4.28 and Utopia on  Linux 2.6.22

Firmware Version: 1.0.14  EA2700
Firmware Version: 1.0.30  EA3500
Firmware Version: 2.0.36  E4200
Firmware Version: 2.0.36  EA4500

Impact: - Major

Timeline: - Still awaiting word back from Linksys support. Partial
disclosure at the present due to the impact; Full disclosure in near
future if warranted.

Vulnerabilities:
- Unauthenticated remote access to all pages of the router
administration GUI, bypassing any credential prompts under certain
common configurations (see below)
- Direct access to several other critical files, unauthenticated as well

Vulnerability Conditions seen in all variations:

- Remote Management - Disabled
- UPnP - Enabled
- IPv4 SPI Firewall Protection - Disabled

Although not the same symptoms as the bug that plagues most ASUS
routers that are AiCloud enabled with WebDav, the utilization of both
UPnP and SSL on lighttpd v 1.4.28 appears to be an extremely
problematic combination, exposing certain vulnerabilities to the WAN
side of the router.

Recommendations-

- Disable UPnP
- Enable at minimum the built in IPv4 SPI firewall
- Oddly, in some instances, resetting the password and doing a full
power down reboot has shown to close the vulnerability, but not always
- Disallow remote access from the WAN side - both http and https
- Changing the default user name and password won't help in this case,
but it always bears repeating
- Since an attacker has access to enable FTP service, USB drives
mounted in the router should be removed until a patch is out, or the
full scope of the issue is known

Testing additional firmware is ongoing.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ