ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [EEYEB-20060227] D-Link Router UPNP Stack Overflow




> -----Original Message-----
> From: eEye Advisories [mailto:Advisories@xxxxxxxx] 
> Sent: Monday, July 17, 2006 9:20 PM
> To: full-disclosure@xxxxxxxxxxxxxxxxx; 
> ntbugtraq@xxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx; 
> vulnwatch@xxxxxxxxxxxxx
> Subject: [EEYEB-20060227] D-Link Router UPNP Stack Overflow
> 
> D-Link Router UPNP Stack Overflow
> 
> Release Date:
> July 13, 2006
> 
> Date Reported:
> February 27, 2006
> 
> Patch Development Time (In Days):
> 136
> 
> Severity:
> High (Remote Code Execution)
> 
> Vendor:
> D-Link
> 
> Routers Affected:
> 
> DI-524 Rev A
> DI-524 Rev C
> DI-524 Rev D
> DI-604 Rev E
> DI-624 Rev C
> DI-624 Rev D
> DI-784 Rev A
> EBR-2310 Rev A
> WBR-1310 Rev A
> WBR-2310 Rev A
> 
> Overview:
> 
> A remote stack overflow exists in a range of wired and wireless D-Link
> routers. This vulnerability allows an attacker to execute privileged
> code on an affected device. When a specific request is sent to an
> affected device, a traditional stack overflow is triggered allowing an
> attacker complete control of the router. With the ability to execute
> code on the device, it is then possible to apply modified 
> firmware, and
> ultimately compromise the entire network.
> 
> The Universal Plug and Play (uPnP) stack on many D-Link devices is
> vulnerable to a traditional remote stack overflow. This vulnerability
> exists on the Local Area Network (LAN) interface of affected D-Link
> devices. Due to the ease in which one can gain access to the LAN
> interface of wireless devices, this attack is remote in nature.
> 
> Technical Details:
> 
> The vulnerability exists within the M-SEARCH function. By issuing an
> M-SEARCH request with an overly long parameter (approximately 800
> bytes), a stack overflow is triggered and an attacker can reliably
> execute code of his/her choosing. This can be accomplished without
> affecting network connectivity and without any signs of exploitation.
> In some exploitation cases, the payload may require a 
> soft-reset on the
> device, interrupting connectivity for a brief moment.
> 
> The following request to UDP port 1900 will trigger the stack 
> overflow:
> 
> M-SEARCH <800 byte string> HTTP/1.0
> 
> Information on exploiting vulnerabilities within embedded systems is
> scarce. To successfully debug hardware devices you will generally
> require external hardware for the debugging interface.
> 
> I will be giving a presentation at SyScan '06 (http://www.syscan.org)
> that will demonstrate exactly how to analyze, debug, and exploit
> embedded devices.
> 
> A previous lecture demonstrates the compromise of a network via an
> exploitable router, these slides are available for download from:
> 
> http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Jack.pdf
> 
> Vendor Status:
> 
> D-Link has released updates for all affected routers and they are
> available for download from the D-Link website. (http://www.dlink.com)
> 
> Credit:
> Barnaby Jack
> 
> Greetings:
> 
> B-boys and Fly-girls
> 
> Copyright (c) 1998-2006 eEye Digital Security
> Permission is hereby granted for the redistribution of this alert
> electronically. It is not to be edited in any way without express
> consent of eEye. If you wish to reprint the whole or any part of this
> alert in any other medium excluding electronic medium, please email
> alert@xxxxxxxx for permission.
> 
> Disclaimer
> The information within this paper may change without notice. 
> Use of this
> information constitutes acceptance for use in an AS IS 
> condition. There
> are no warranties, implied or express, with regard to this 
> information.
> In no event shall the author be liable for any direct or indirect
> damages whatsoever arising out of or in connection with the use or
> spread of this information. Any use of this information is at 
> the user's
> own risk.
> 




 




Copyright © Lexa Software, 1996-2009.