mailing list archives
SOHO Routefinder 550 VPN, DoS and Buffer Overflow
From: "Peter Kruse" <kruse () krusesecurity dk>
Date: Tue, 11 Mar 2003 20:24:25 +0100
Name: SOHO Routefinder 550 VPN, DoS and Buffer Overflow
Date: 11th of Marts 2003
Software affected: RF550VPN Firmware v463, v464 beta
(prior versions are vulnerable - other models might
be affected as well!)
This Advisory is copyright by Peter Kruse.
You may distribute this unmodified.
The opinions expressed in this advisory are my own and not that of any
The usual standard disclaimer applies, especially the fact that Peter
or Kruse Security is not liable for any damages caused by direct or
use of the information or functionality provided by this advisory or
The SOHO RouteFinder is ideal for the small branch office or
telecommuter who needs
secure access to the corporate LAN. In addition to providing a WAN
for DSL or cable broadband Internet access, it also offers both
LAN-to-LAN VPN connectivity based on the IPSec protocol. It supports up
to 5 IPSec
tunnels and provides 3DES encryption with 700K bps throughput.
The Multitech Routefinder supports login through a webinterface. By
interface is enabled on the LAN side with a default login "admin" and a
The weakness is found in the web software implemented on the router.
A user on the LAN side is able to initiate a Denial of Service attack
the router and cause it to fail to respond. This would block all
More scary the fact that it's possible for a remote hostile attacker to
on the box. This is critical since the router is mainly used as a VPN
box for the SOHO
market. In order to attack the box from the outside it would require
that the webinterface
is enabled on the external side. This would often be done for remote
The flaw can be exploited with a GET /OPTIONS parameter.
By supplying an overlong URL: GET /OPTIONS AAAAA..[Ax10001]..AAAAA.HTML
HTTP/1.1 we can
break the box. This allows a hostile user to corrupt memory with
When the box receives the overlong URL it will reboot.
Multitech has released new firmware that fixes this issue.
The firmware can be downloaded from this URL:
(Please note that the firmaware that fixes this issue is still named v
12.2.2003: Vendor contacted at (sales,support,security () multitech com)
17.2.2003: Vendor contacted - reminder
19.2.2003: Reply - working to reproduce the problem
28.2.2003: Proof of concept code supplied in order to reproduce problem
7.3.2003: New firmware released - Tested and confirmed to fix the
11.3.2003: Official release of this advisory
This advisory can be found online on my homepage:
Full-Disclosure - We believe in it.
- SOHO Routefinder 550 VPN, DoS and Buffer Overflow Peter Kruse (Mar 11)