| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: conde0 at telefonica.net (David F.Madrid) Subject: Denial of service in XAVI X7028r DSL Wireless router Product affected : Xavi X7028r DSL router Description : Telefonica offers to his clients in Spain and South America the possibility of installing with his ADSL service a wireless router developed by XAVI . This router is Universal Plug and Play capable and when it receives a UPNP M-SEARCH request it answers offering an URL on his tcp port 280 with its characteristics and xml pages to interact with the device As the length of the URL parameter is not checked in the HTTP request , sending GET , HEAD or TRACE requests with different lengths cause a reboot on the router . PPP connection keeps active , but you will have to disconnect and reconnect to use the connection again . This can be used by a LAN user to cause a DOS . A remote user can exploit this with a bit of interaction from a X7028r user ( clicking on a link in a website vulnerable to XSS or visiting a webpage can be enough as you can always access the upnp interface with 192.168.1.1 IP address , at least in the default instalation from Telefonica ) . Exploit perl -e 'print "GET /"."A"x1008;print "\nHost:192.168.1.1:280\n\n\n\n\n"' | netcat -v -n 192.168.1.1 80 You can read this advisory in Spanish in http://nautopia.coolfreepages.com/vulnerabilidades/vul_xavi_7028r.htm Regards , David F. Madrid , Madrid , Spain
Powered by blists - more mailing lists