Issue: ----------------------------------------------------------------|

   LG Electronics LR3100p is a small WAN router, with two WAN interfaces
   and one Ethernet. It comes with no access lists defined, which enables
   administrator to connect to port 23/tcp (telnet). However, IP stack of
   LR3100p has several bugs, that can be exploited via network.

Description: ----------------------------------------------------------|

   When configured without access lists protecting port 23, the LR3100p is
   vulnerable to at least three (3) bugs, resulting from memory allocation
   function buffer overflows.
   
   (1)
   First is exploitable without any access to user account at the router.
   Only thing needed is access to port 23/tcp. If the router is attacked
   with data stream (can be any characters, both randomized and text-only
   input was used during testing) coming to that port it will reboot,
   usually with no message. 

   (2)
   Second bug is applicable only to software revisions up to and including
   1.30. Few packets generated via simple scanning (for example nmap with
   `-O' option) can result in reboot of the router with following message:

   Exception 1400 at IP 12afc4

   (3)
   Third bug is directly in the telnet service, when checking passwords.
   The same technique with random data stream is used, however few ENTER
   characters should be sent at first, to overcome router primary prompt
   waiting for that key to be pressed. The stream length was measured to
   be about 40kB. Also in this case, router reboots with no message.

Vulnerable versions: --------------------------------------------------|

   Versions up to and including 1.30 are vulnerable to all bugs mentioned.
   Release 1.50 is vulnerable only to first and third bug. The vendor
   representative was informed about the vulnerabilities on 2002-04-18,
   and LG has recently released `fixed' release 1.52 which, however,
   is still vulnerable to first and third bug.

Info on this advisory: ------------------------------------------------|

   This advisory can be accessed on-line at my personal site:<a href="http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.html">
   http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.html</a>
   or in plain-text:<a href="http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.txt">
   http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.txt</a>
   
   My personal GPG key fingerprint is located at following address:<a href="http://mr0vka.eu.org/aboutme/index.html#pgp">
   http://mr0vka.eu.org/aboutme/index.html#pgp</a>
   
Disclaimer: -----------------------------------------------------------|

   None at this time.