Linksys WRT350N信息单元远程拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1185450 漏洞类型 输入验证
发布时间 2008-09-04 更新时间 2008-09-04
CVE编号 CVE-2007-5474 CNNVD-ID CNNVD-200809-083
漏洞平台 N/A CVSS评分 6.3
|漏洞来源
https://www.securityfocus.com/bid/31012
https://cxsecurity.com/issue/WLB-2008090012
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200809-083
|漏洞详情
LinksysWRT350N是一款流行的无线宽带路由器。基于AtherosAR5416-AC1E芯片组的LinksysWRT350N路由器没有正确地解析关联请求中的Atheros厂商特定信息单元,如果通过802.11认证的用户在请求中包含了超长的长度字段的话,就可以触发缓冲区溢出,导致拒绝服务或执行任意指令。
|漏洞EXP
Title:
------
* Atheros Vendor Specific Information Element Overflow

Summary:
--------
* The wireless drivers in some Wi-Fi access points (such as the
ATHEROS-based Linksys WRT350N) do not correctly parse the Atheros vendor
specific information element included in association requests. This
information element is used by wireless devices to advertise Atheros
specific capabilities.

Assigned CVE:
-------------
* CVE-2007-5474

Details:
--------
* The bug can be triggered by a malicious association request sent to
the wireless access point where one of the information elements must be
an Atheros information element with an inappropriate length (typically
too long). This can be achieved only after a successful 802.11
authentication (in "Open" or "Shared" mode according to the
configuration of the wireless access point).

Attack Impact:
--------------
* Denial-of-service (reboot or hang-up) and possibly remote arbitrary
code execution

Attack Vector:
--------------
* Unauthenticated wireless device

Timeline:
---------
* 2007-10-22 - Vulnerability reported to Linksys
* 2007-10-23 - Full details sent to Linksys
* 2008-09-04 - Public disclosure

Affected Products:
------------------
* Linksys WRT350N (firmware v2.00.17) with Atheros AR5416-AC1E chipset

Vulnerable Devices:
-------------------
* As it is a wireless driver specific issue, the wireless vendor should
use the latest chipset wireless driver for their access point firmwares.
This security vulnerability was reported to Linksys, updated firmwares
should be available on their web site. Any other wireless device relying
on this vulnerable wireless driver is likely to be vulnerable.

Credits:
--------
* This vulnerability was discovered by Laurent Butti and Julien Tinnes
from France Telecom / Orange
|受影响的产品
Linksys WRT350N 2.0.17 Atheros Communications AR5416-AC1E 0
|参考资料

来源:XF
名称:atheros-as5416ac1e-associationrequest-dos(44921)
链接:http://xforce.iss.net/xforce/xfdb/44921
来源:BID
名称:31012
链接:http://www.securityfocus.com/bid/31012
来源:BUGTRAQ
名称:20080904AtherosVendorSpecificInformationElementOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/495984/100/0/threaded
来源:SREASON
名称:4226
链接:http://securityreason.com/securityalert/4226