Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Linksys Router Local DoS - Tripwire Privilege Escalation SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Linksys Router Local DoS - Tripwire Privilege Escalation
Denial of Service Vulnerabilities in Linksys Routers

Alan McCaig of www.b0f.net reported two local denial of service vulnerabilities in the following models of Linksys routers:

Linksys BEFSR41

Linksys BEFSRU31

Linksys BEFSR11

Linksys BEFSX41

Linksys BEFSR81 v2/v3

Linksys BEFW11S4 v3

Linksys BEFW11S4 v4


The threat posed by these vulnerabilities is mitigated somewhat, as they are apparently only exploitable from the LAN side of the router. However, they will leave the device in a deadlocked state requiring a reset to factory defaults to return to working order. If the user has made significant modifications beyond these defaults this would likely be the source of much chagrin.

Currently, the only fix is to not randomly click on untrusted links.

Format String Vulnerability in Tripwire

Paul Herman <pherman@frenchfries.net> released information regarding the mishandling of filenames passed into email reports generated by Tripwire. Although the author states that no exploit currently exists, this information is especially concerning as Tripwire is generally used on machines the administrators would like to maintain a higher-than-normal level of security on. Vulnerable versions are:

Tripwire commercial versions <= 2.4
Tripwire open source versions <= 2.3.1

Paul also included a patch for the open source version of Tripwire:

Index: src/tripwire/pipedmailmessage.cpp

===================================================================

retrieving revision 1.1

retrieving revision 1.2

diff -u -r1.1 -r1.2

--- src/tripwire/pipedmailmessage.cpp 21 Jan 2001 00:46:48 -0000 1.1

+++ src/tripwire/pipedmailmessage.cpp 26 May 2004 20:59:15 -0000 1.2

@@ -180,7 +180,7 @@



void cPipedMailMessage::SendString( const TSTRING& s )

{

- if( _ftprintf( mpFile, s.c_str() ) < 0 )

+ if( _ftprintf( mpFile, "%s", s.c_str() ) < 0 )

{

TOSTRINGSTREAM estr;

estr << TSS_GetString( cTripwire,
tripwire::STR_ERR2_MAIL_MESSAGE_COMMAND )



Users are encouraged to patch or disable email alerting to maintain the integrity of their systems.

Cory Altheide

Handler on Duty
 Cory Altheide

19 Posts
Jun 4th 2004
Thread locked Subscribe Jun 4th 2004
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!