lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42943.80.58.4.235.1058957482.squirrel@www.videosoft.net.uy>
From: conde0 at telefonica.net (David F.Madrid)
Subject: Denial of service in XAVI X7028r DSL Wireless router

Product affected : Xavi X7028r DSL router

Description :

Telefonica offers to his clients in Spain and South America the possibility
of installing with his ADSL service a wireless router developed by XAVI .

This router is Universal Plug and Play capable and when it receives a
UPNP M-SEARCH request it answers offering an URL on his tcp port 280
with its characteristics and xml pages to interact with the device
As the length of the URL parameter is not checked in the HTTP request ,
sending GET , HEAD or TRACE requests with different lengths cause
a reboot on the router . PPP connection keeps active , but you will
have to disconnect and reconnect to use the connection again .

This can be used by a LAN user to cause a DOS . A remote user can
exploit this with a bit of interaction from a X7028r user ( clicking
on a link in a website vulnerable to XSS or visiting a webpage
can be enough as you can always access the upnp interface with
192.168.1.1 IP address , at least in the default instalation
from Telefonica ) .

Exploit

perl -e 'print "GET /"."A"x1008;print "\nHost:192.168.1.1:280\n\n\n\n\n"'
| netcat -v -n 192.168.1.1 80

You can read this advisory in Spanish in

http://nautopia.coolfreepages.com/vulnerabilidades/vul_xavi_7028r.htm


Regards ,

David F. Madrid ,
Madrid , Spain




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ