#Linksys device discovery tool code
We haven't determined if the exploitation of these bugs may lead to arbitrary code execution or any other way of "privilege escalation", but we do not discard this possibility.
#Linksys device discovery tool password
As this bug is present in the code previous to authentication, no password is needed to exploit this vulnerability.Īdditionally, there are several "heap" based buffer overflows, all of them, as far as we could verify, are post authentication. After this, she could change any of the configuration options previously mentioned, or even turn it into an agent which could be used as stepping stone to pivot, either to the internal network, or to the internet, as part of a more complex attack. The second kind of bugs are due to a stack based buffer overflow, and let an attacker execute arbitrary code in the appliance, gaining total control over it. At the same time, three other similar bugs were introduced in this firmware (only for BEFW11S4), which allow authentication bypassing in a similar way. This bug was partially fixed on firmware version 1.43.3, but in this version there is still a way to bypass authentication using the checks for UPnP's. After this, she could modify filtering rules, change the administration password, enable remote administration from any host on the internet, upload a new firmware, and perform any other configuration action an authenticated user is able to do. An error in how the URL is parsed allows any user to access any page in the remote administration interface without supplying a password. This is needed to support UPnP, but is not disabled when UPnP support is disabled. The first bug is due to the fact that no authentication is required to access any. Yet some other bugs, form a big family from which only one was mentioned in an iDefense advisory. Some of the other bugs were discussed on different mailing lists, and were incorrectly tagged as different Denial of Service bugs, while either they are different incarnations of the same bugs or are exploitable buffer overflows leading to code execution, as we will try to explain in this advisory. One of the bugs was independently discovered by Seth Bromberger and other people as well, and was partially fixed by Linksys on firmwares version 1.43.3 (see ). The implementation of the embedded HTTP server presents several different exploitable vulnerabilities, some of them allow an unauthorized user to gain control of the appliance, some let an attacker reboot it, and some are of an unknown severity. Many Linksys' network appliances have a remote administration and configuration interface via HTTP, either from the local network, or, if it's enabled, from any host across the internet. CORE tested fix, found new and still existing bugs: Linksys fix provided in response to another Title: Remotely exploitable Buffer overflows and Authentication bypassing bugs on Linksys BEFW11S4 Wireless router and other devices.
0 kommentar(er)
