[NEWS] SMC Routers Passwordless Remote Administration

From: SecuriTeam (support_at_securiteam.com)
Date: 05/09/04

  • Next message: SecuriTeam: "[NT] Internet Explorer Remote Dos (Memory Access Violation)" 
    To: list@securiteam.com
Date: 9 May 2004 19:36:51 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SMC Routers Passwordless Remote Administration
    ------------------------------------------------------------------------

    SUMMARY

    Several <http://www.smc.com/> SMC Routers does not close the remote
    administration port to external users (i.e. from the Internet), nor does
    it require any authentication. A malicious attacker can obtain complete
    control over the router, thus exposing the LAN.

    DETAILS

    Vulnerable Systems:
     * SMC Router 7008ABR (part number 750.9814 with firmware 1.032)
     * SMC Router 7004VBR (version 1, firmware 1.231)
     * Others models and firmware versions may be vulnerable.

    SMC broadband routers ship with remote administration enabled by default
    on their port 1900 on the WAN side of the router. If you just pull one out
    of the box, plug it into your Internet connection and go through the
    "Setup Wizard" then don't do anything beyond that point, port 1900 is open
    on the router and completely passwordless, allowing ANY person to just
    visit http://1.2.3.4:1900/ where "1.2.3.4" is the router's external IP
    address and hit "Login" and have full control of the router. This may
    allow any person to expose the very machines being protected by the
    router.

    Steps to reproduce:
    1. Reset the router to factory defaults, either by logging onto its remote
    administration page at http://192.168.2.1/ and clicking "Advanced Setup"
    then "Tools" then "Configuration Tools" then choose "Restore barricade to
    factory defaults" and click "Next." Or by holding down the router's reset
    button with a paper clip for 30 seconds.
    2. After the router has been reset to factory defaults, visit its
    administration page at http://192.168.2.1/
    3. Click "login"
    4. Click "Setup Wizard" then "Next"
    5. Choose the appropriate connection type you have.
    6. When it is "connected" and you can web browse on the Internet just fine
    behind it, go back to the router's administration page at
    http://192.168.2.1/
    7. Click "Advanced Setup" then "Status" and write down the router's WAN IP
    address. (For example 1.2.3.4)
    8. Now using a computer that has a different external IP address (another
    machine on the Internet), visit the router's port 1900 in your web browser
    http://1.2.3.4:1900/

    You are then greeted with a login prompt. Click "Login" and you have full
    control of the router remotely. While you are there, click "Advanced
    Setup" and then "System" then "Remote Management" and you can verify
    "Remote Management" is supposedly disabled yet somehow you are *remotely*
    managing the device.

    Workarounds:
    1. Enable the router's firewall in its "Advanced Setup".
    Or:
    2. Forward port 1900 of the router to a non-existent internal IP address
    (such as 192.168.2.248 if it isn't in use).

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:user86@earthlink.net>
    user86.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Internet Explorer Remote Dos (Memory Access Violation)"
    • Quantcast