Issue: ----------------------------------------------------------------|
LG Electronics LR3100p is a small WAN router, with two WAN interfaces
and one Ethernet. It comes with no access lists defined, which enables
administrator to connect to port 23/tcp (telnet). However, IP stack of
LR3100p has several bugs, that can be exploited via network.
Description: ----------------------------------------------------------|
When configured without access lists protecting port 23, the LR3100p is
vulnerable to at least three (3) bugs, resulting from memory allocation
function buffer overflows.
(1)
First is exploitable without any access to user account at the router.
Only thing needed is access to port 23/tcp. If the router is attacked
with data stream (can be any characters, both randomized and text-only
input was used during testing) coming to that port it will reboot,
usually with no message.
(2)
Second bug is applicable only to software revisions up to and including
1.30. Few packets generated via simple scanning (for example nmap with
`-O' option) can result in reboot of the router with following message:
Exception 1400 at IP 12afc4
(3)
Third bug is directly in the telnet service, when checking passwords.
The same technique with random data stream is used, however few ENTER
characters should be sent at first, to overcome router primary prompt
waiting for that key to be pressed. The stream length was measured to
be about 40kB. Also in this case, router reboots with no message.
Vulnerable versions: --------------------------------------------------|
Versions up to and including 1.30 are vulnerable to all bugs mentioned.
Release 1.50 is vulnerable only to first and third bug. The vendor
representative was informed about the vulnerabilities on 2002-04-18,
and LG has recently released `fixed' release 1.52 which, however,
is still vulnerable to first and third bug.
Info on this advisory: ------------------------------------------------|
This advisory can be accessed on-line at my personal site:
http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.html
or in plain-text:
http://mr0vka.eu.org/docs/advisories/lg-3100p-2002-04-18.txt
My personal GPG key fingerprint is located at following address:
http://mr0vka.eu.org/aboutme/index.html#pgp
Disclaimer: -----------------------------------------------------------|
None at this time.