iDEFENSE Security Advisory 11.19.02a:
http://www.idefense.com/advisory/11.19.02a.txt
Denial of Service Vulnerability in Linksys Cable/DSL Routers
November 19, 2002

I. BACKGROUND

Linksys Group Inc. currently sells several broadband router products, 
including:

BEFW11S4, Wireless Access Point Router with 4-Port Switch - Version 2
BEFSR11, EtherFast® Cable/DSL Router
BEFSR41, EtherFast® Cable/DSL Router with 4-Port Switch
BEFSRU31, EtherFast® Cable/DSL Router with USB and 3-Port Switch

More information is available at 
http://www.linksys.com/products/group.asp?grid=23 .

II. DESCRIPTION

The BEFW11S4, BEFSR11, BEFSR41 and BEFSRU31 can be crashed when 
several thousand characters are passed in the password field of the 
device's web management interface. Exploitation simply requires the 
use of a web browser that can send long Basic Authentication fields 
to the affected router's interface.

III. ANALYSIS

Remote exploitation is only possible if the remote web management 
interface is enabled (this is disabled by default). An attacker on the internal 
network can access the web management interface by using a web browser 
and accessing the URL http://192.168.1.1 (default URL).

IV. DETECTION

The BEFW11S4, BEFSR11, BEFSR41, and BEFSRU31 devices with firmware 
earlier than version 1.43.3 are affected.  iDEFENSE confirmed 
susceptibility on the BEFW11S4. Linksys indicated that the BEFSR11, 
BEFSR41 and BEFSRU31 are also affected.

V. WORKAROUND

Disable the remote web management interface on the affected router. 

VI. RECOVERY

Cycling power through the affected device should restore normal 
functionality; pressing the "Reset" button on the router is insufficient.

VII. VENDOR FIX

Linksys firmware 1.43.3, which is available at 
http://www.linksys.com/download/, fixes the problem on all the  
affected devices.

VIII. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project 
assigned the identification number CAN-2002-1312 to this issue.

IX. DISCLOSURE TIMELINE

11/02/2002	Issue disclosed to iDEFENSE
11/06/2002	Linksys notified (jay.price@linksys.com)
11/11/2002	Linksys response (diana.ying@linksys.com)
11/18/2002	iDEFENSE clients notified
11/19/2002	Public disclosure

X. CREDIT

Alex S. Harasic (aharasic@terra.cl) discovered this vulnerability.