[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000301c2e803$d3cf7690$0202a8c0@teliahomebase>
From: kruse at krusesecurity.dk (Peter Kruse)
Subject: SOHO Routefinder 550 VPN, DoS and Buffer Overflow
Name: SOHO Routefinder 550 VPN, DoS and Buffer Overflow
Date: 11th of Marts 2003
Software affected: RF550VPN Firmware v463, v464 beta
(prior versions are vulnerable - other models might
be affected as well!)
Advisory:
http://www.krusesecurity.dk/advisories/routefind550bof.txt
Vendor: http://www.multitech.com
Risk: Medium/High
Legal Notice:
This Advisory is copyright by Peter Kruse.
You may distribute this unmodified.
Disclaimer:
The opinions expressed in this advisory are my own and not that of any
company.
The usual standard disclaimer applies, especially the fact that Peter
Kruse
or Kruse Security is not liable for any damages caused by direct or
indirect
use of the information or functionality provided by this advisory or
program.
Vendor Description:
The SOHO RouteFinder is ideal for the small branch office or
telecommuter who needs
secure access to the corporate LAN. In addition to providing a WAN
Ethernet port
for DSL or cable broadband Internet access, it also offers both
client-to-LAN and
LAN-to-LAN VPN connectivity based on the IPSec protocol. It supports up
to 5 IPSec
tunnels and provides 3DES encryption with 700K bps throughput.
Problem:
The Multitech Routefinder supports login through a webinterface. By
default the
interface is enabled on the LAN side with a default login "admin" and a
blank
password.
The weakness is found in the web software implemented on the router.
A user on the LAN side is able to initiate a Denial of Service attack
against
the router and cause it to fail to respond. This would block all
Internet trafic.
More scary the fact that it's possible for a remote hostile attacker to
execute code
on the box. This is critical since the router is mainly used as a VPN
box for the SOHO
market. In order to attack the box from the outside it would require
that the webinterface
is enabled on the external side. This would often be done for remote
administration.
Description:
The flaw can be exploited with a GET /OPTIONS parameter.
By supplying an overlong URL: GET /OPTIONS AAAAA..[Ax10001]..AAAAA.HTML
HTTP/1.1 we can
break the box. This allows a hostile user to corrupt memory with
attacker-supplied data.
When the box receives the overlong URL it will reboot.
Solution:
Multitech has released new firmware that fixes this issue.
The firmware can be downloaded from this URL:
http://www.multitech.com/SUPPORT/SOHO_VPN/firmware.asp
(Please note that the firmaware that fixes this issue is still named v
4.63.
Log:
12.2.2003: Vendor contacted at (sales,support,security@...titech.com)
17.2.2003: Vendor contacted - reminder
19.2.2003: Reply - working to reproduce the problem
28.2.2003: Proof of concept code supplied in order to reproduce problem
7.3.2003: New firmware released - Tested and confirmed to fix the
problem
11.3.2003: Official release of this advisory
This advisory can be found online on my homepage:
http://www.krusesecurity.dk/advisories/routefind550bof.txt
Kind regards
Peter Kruse
Security Consultant
Kruse Security
http://www.krusesecurity.dk
Powered by blists - more mailing lists