Issue: ----------------------------------------------------------------|

   LG Electronics LR3001f is a WAN router. It comes with no access
   lists defined, which enables administrator to connect both to
   port 23/tcp (telnet) and 80/tcp (www server). However, IP stack of
   LR3001f has several bugs, that can be exploited via network.

Description: ----------------------------------------------------------|

   When configured without access lists protecting ports 23 or/and 80,
   the LR3001f is vulnerable to at least two bugs, resulting from
   memory allocation function buffer overflows.
   
   First is exploitable without any access to user account at the
   router. Only thing needed is access to port 23/tcp or 80/tcp. If
   the router is attacked with data stream (can be any characters,
   both randomized and text-only input was used during testing)
   coming to one of the mentioned ports it will reboot, with one of
   the following messages:
   
   Router# [BUFFER] Unknown free 0xffffffff
   Router# can't malloc

   or

   Router# [BUFFER] ERROR free not in use
   Router# can't malloc

   Measured values for lenght of the data stream were
   approx. 750kB for 23/tcp and 600kB for 80/tcp. 

   Second bug is directly in the telnet service, when checking
   passwords. The same technique with random data stream is used,
   however few ENTER characters should be sent at first, to overcome
   router primary prompt waiting for that key to be pressed. In this
   case, router reboots with no message.

Vulnerable versions: --------------------------------------------------|

   All software versions up to and including 4.0 are vulnerable to this
   types of attack.
   
   4.57 version downloadable from vendor website is vulnerable to second
   type of attack, however is not vulnerable to first type of attack.
   
   The vendor representative was informed about the vulnerabilities on
   2002-04-18, and LG till that day has not released any new software
   version.

Info on this advisory: ------------------------------------------------|

   This advisory can be accessed on-line at my personal site:<a href="http://mr0vka.eu.org/docs/advisories/lg-3100f-2002-04-18.html">
   http://mr0vka.eu.org/docs/advisories/lg-3100f-2002-04-18.html</a>
   or in plain-text:<a href="http://mr0vka.eu.org/docs/advisories/lg-3100f-2002-04-18.txt">
   http://mr0vka.eu.org/docs/advisories/lg-3100f-2002-04-18.txt</a>
   
   My personal GPG key fingerprint is located at following address:<a href="http://mr0vka.eu.org/aboutme/index.html#pgp">
   http://mr0vka.eu.org/aboutme/index.html#pgp</a>
   
Disclaimer: -----------------------------------------------------------|

   None at this time.