DigitalPranksters Security Advisory
LinkSys EtherFast Router Denial of Service Attack
Product: Linksys EtherFast Cable/DSL Firewall Router BEFSX41 (Firmware
Product URL: http://www.linksys.com/products/product.asp?prid=433
Vendor Contacted: September 9, 2003
Vendor Released Patch: September 26, 2003
DigitalPranksters Public Advisory Released: October 7, 2003
Found By: KrazySnake - krazysnake (at) digitalpranksters (dot) com [email concealed]
The Linksys BEFSX41 has web-based administration utility at a predictable
default address (http://192.168.1.1). The administration is done through a
series of html forms using the "get" method. The router also has an out of
the box password of "admin".
Under the default configuration the router is only accessible from the
local lan and not the internet. However, an attacker could set up a web
page or send html email to someone inside of the lan to indirectly send
commands to the router.
An attacker could specify a URL that results in denial of service. The
denial of service occurs when long string is sent to the System Log
Viewer's "Log_Page_Num" parameter. The router will be unresponsive after
the URL is visited when logging is enabled.
Proof of Concept:
If an attacker can get the admin of the router to view a URL like
router will become inoperable. The link could be set as the source of an
image html tag.
Linksys released an updated firmware to address this issue. This firmware
update is made available by Linksys from
SkippyInside, AngryB, Harmo, HTMLBCat, and Spyder.
Thanks to Linksys for fixing this issue.
Standard disclaimer applies. The opinions expressed in this advisory are
our own and not of any company. The information within this advisory may
change without notice. Use of this information constitutes acceptance for
use in an AS IS condition. There are no warranties with regard to this
information. In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.