[26754] in bugtraq
LG Electronics LG3001f router
daemon@ATHENA.MIT.EDU (Bromirski, Lukasz)
Wed Aug 21 12:07:15 2002
Message-ID: <B161EA1CF27CD511A91F00508BBBFA760214DDE4@plwawmail01techdata.pl>
From: "Bromirski, Lukasz" <LBromirski@techdata.pl>
To: bugtraq@securityfocus.com
Date: Wed, 21 Aug 2002 11:10:33 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-2"
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Issue: ----------------------------------------------------------------|
LG Electronics LR3001f is a WAN router. It comes with no access
lists defined, which enables administrator to connect both to
port 23/tcp (telnet) and 80/tcp (www server). However, IP stack of
LR3001f has several bugs, that can be exploited via network.
Description: ----------------------------------------------------------|
When configured without access lists protecting ports 23 or/and 80,
the LR3001f is vulnerable to at least two bugs, resulting from
memory allocation function buffer overflows.
First is exploitable without any access to user account at the
router. Only thing needed is access to port 23/tcp or 80/tcp. If
the router is attacked with data stream (can be any characters,
both randomized and text-only input was used during testing)
targeted at one of the mentioned ports it will reboot, with one of
the following messages:
Router# [BUFFER] Unknown free 0xffffffff
Router# can't malloc
or
Router# [BUFFER] ERROR free not in use
Router# can't malloc
Second bug is directly in the telnet service, when checking
passwords. The same technique with random data stream is used,
however few ENTER characters should be sent at first, to overcome
router primary prompt waiting for that key to be pressed. In this
case, router reboots with no message.
Vulnerable versions: --------------------------------------------------|
All software versions up to and including 4.0 are vulnerable to all
those types of attack.
4.57 version downloadable from vendor website is vulnerable to second
type of attack, however is not vulnerable to first type of attack.
The vendor representative was informed about the vulnerabilities on
2002-04-18. LG did not respond in any way and have not released any
fixed or new software version.
Info on this advisory: ------------------------------------------------|
This advisory can be accessed on-line at my personal site:
http://mr0vka.eu.org/docs/advisories/lg-3001f-2002-04-18.txt
My personal PGP key fingerprint is:
5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49
My personal PGP key is located at:
http://mr0vka.eu.org/pgp.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9Y1PDYqhjwgk7bEkRAphSAKDSip0f/1KhFKueNzGsyl5DcGaLSQCdF7LB
7+JjSjDOvMRTUt8uvtW9A80=
=AJQc
-----END PGP SIGNATURE-----
--
Łukasz Bromirski lbromirski[at]mr0vka.eu.org
PGP key http://mr0vka.eu.org/pgp.asc http://mr0vka.eu.org
PGP finger 5C3B 723F A1FA A2BA E57A E959 62A8 63C2 093B 6C49
