Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

Aztech DSL305E ADSL Ethernet Bridge/Router may be crashed by sending a specially crafted HTTP request to its web management port.

by Tan Chew Keong
Release Date: 19 June 2004

Summary

Aztech ADSL Ethernet Bridge Modem DSL305E is a standards based ADSL Modem targeted for residential users either for a single user or for multi-user via connection to Cable/DSL Routers. Aztech DSL305E provides high speed DSL access at home to a Ethernet attached PC regardless of Operating system platform.

DSL305E supports web-based device management using port 80. A flaw in its implementation allows an attacker to crash the device by sending a specially crafted HTTP request to this port. In addition, it was found that DSL305E (with firmware 21.6.3) has an undocumented logon account with username "user" and has no password. DSL305EU may also be affected by this vulnerability.

 
Tested System

DSL305E with firmware version 20.20.7 (20.20.7-1.dlf).
DSL305E with firmware version 21.6.3 (21.6.3-1.dlf).

Others
DSL305EU with firmware version 21.6.3 (21.6.3-1.dlf) may also be vulnerable.

 
Details

The device runs WindWeb Server 1.0.2 and may be crashed by sending a HTTP request with an overly long hostname to its web-based management port. An example HTTP request that can crash the device is shown below. 

GET / HTTP/1.0
Host: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Connection: keep-alive
 
Subsequently, the device will stop serving any requests and needs to be powered off and on again. This affects DSL305E with either 20.20.7 or 21.6.3 firmware.

When used with firmware 21.6.3, the device functions as a broadband NAT router and supports web-based device management from the Internet. In this case, it is possible to remotely crash the device by sending a malicious HTTP request to port 80 of the device's WAN interface prior to HTTP authentication.

In addition, it was also found that DSL305E (with firmware 21.6.3) has an undocumented logon account with username "user" and has no password.

 
Workarounds

If the device is using firmware 21.6.3, the impact may be minimized by disabling web management on its WAN interface. If this is not possible, configure port forwarding to forward port 80 on the WAN interface to a non-existing internal IP. This prevents the device from being crash by a malicious request sent from the Internet.

The password of "user" on DSL305E (firmware 21.6.3) may be changed by accessing the undocumented device URL http://10.0.0.2/doc/pwduser.htm, after logon as "admin".

 
Disclosure Timeline

03 Jun 04 - Vulnerability Discovered
06 Jun 04 - Initial Vendor Notification (no reply)
13 Jun 04 - Second Vendor Notification (no reply)
19 Jun 04 - Public Release

 

Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 6/6/2004
webmaster@security.org.sg