USRobotics USR808054 Wireless Access Point Denial Of Service And Possible Code Execution Vulnerabilities
3 Aug. 2004
The USR808054 wireless access point router supports data transfer acceleration equivalent to 100Mbps throughput, compatible with the 802.11b/g standards, has built in WEP and WAP (WiFi protected access) support with MAC authentication and can perform as a router for wired networks in addition to having firewalling rules.
The USR808054 wireless router device can be administred via a web interface which is using the HTTP protocol. Hence, the router has a built-in HTTP server. A buffer overflow vulnerability exists which would allow an attacker to bring down the device and possibly execute arbitrary code on the platform.
A buffer overflow exhibits itself through the HTTP version string in a GET request. You can perform the request without the administrator password, so all users on the network which are allowed to connect to HTTP port (all by default) can exploit this issue. Example proof of concept: bash~$ perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap 80
The result is a crash of the access point and the disconnection of all users. With proper knowledge of the architecture used to create the device it might even be possible to execute arbitrary code on the router itself.