Hawking Technologies HAR11A router considered insecure

From: Marcus Garvey (dartroller_at_mad.scientist.com)
Date: 10/26/04

  • Next message: Luke Macken: "[ GLSA 200410-25 ] Netatalk: Insecure tempfile handling in etc2ps.sh"
    Date: 26 Oct 2004 16:08:24 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    The Hawking Technologies HAR11A modem//router is shipped insecure.  It
    suffers from the infamous Conexant security hole (
    http://www.chiark.greenend.org.uk/~theom/security/origo.html ). You can
    find lots of references to this in a google search for "conexant port
    254".

    You can see the Hawking Technologies HAR11A (picture:
    http://www.hawkingtech.com/images/productlg/HAR11%20View.jpg ) security
    hole by using telnet(1) to connect to port 254 on it. When you do, you
    will find an undocumented management interface which allows you to see
    connection statistics without a password. Visible menu choices on the
    interface also allegedly allow  you to change parameters on the router,
    but I don't know if they actually work without a password, or if the
    password used here is the same as  the one assigned to the modem's
    browser interface. I suspect that the same hole exists on the HAR14A,
    but I don't have a sample to test. If you have this model (picture:
    http://www.hawkingtech.com/images/productlg/HAR14%20View.jpg), I'd love
    to know if it has the same Troubles as the HAR11A.

    You can close the security hole from the internet side by using the
    "Virtual Host" feature in the modem's browser interface to forward ports
    254, 255, and 23 to a nonexistent host (such as "10.0.209.5").  This
    still allows access from the firewall side of the modem, however.
    The safest thing to do is to put the modem into 'bridge mode' and do
    all your NAT, PPPOE, and security from your linux firewall.

    I found out about this hole shortly after getting broadband networking
    into my house. When I ran nmap(1) against my home IP address, I
    discovered that ports 254,255,and 23 were open, and when I used
    telnet(1) to connect to them, I found the management interface described
    above. After I doused the fire in my hair, I found that this was unknown
    to my ISP's tech support folks.  Hawking Technologies has promised
    a patch for 20 October, but I haven't seen it yet on their site.
    You can keep an eye out for it  at http://www.hawkingtech.com.

    If you own one of these modems, you should at least make sure that the
    security fix described above is in place. Without it, you could lose
    your broadband connection without warning when the modem's power
    cycles.  If you do not have got good records of what settings were in
    the modem when it was working, you may find it difficult to fix the
    problem.


  • Next message: Luke Macken: "[ GLSA 200410-25 ] Netatalk: Insecure tempfile handling in etc2ps.sh"

    Relevant Pages

    • Re: DHCP through RAS
      ... That means that the machine dialing in has a modem and it's ... Your RAS identifies it as an interface that needs an IP ... an IP address via DHCP. ... >Astaro Security Linux, the comprehensive security solution that combines six ...
      (Focus-Microsoft)
    • RE: Possible security problem??
      ... Subject: Possible security problem?? ... reach the device from the internet you would need to the public IP ... It seems that the IP of the Alcatel DSL Modem (If it's the same as the ones ... The other consultant told me that it was a monitoring interface and was ...
      (Security-Basics)
    • Re: Network Security
      ... In one of my first jobs, ... We closed the security hole ... >still needed to know who was the perpetrator, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Back Doors (was: EXCP with a DEB)
      ... The first thing to do upon finding a security hole is to notify the vendor. ... IBM will generally understand the hole, and fix it within a reasonable time. ... Said someone else might use the security hole maliciously, ... Secrecy is only beneficial to security in limited circumstances, and certainly not with respect to vulnerability or reliability information. ...
      (bit.listserv.ibm-main)
    • Re: Potential hole in Ettercap 0.6.2
      ... I think the guidelines are pretty well outlined in the ... information should be posted to the VULN-DEV list: ... "Here's a script to exploit the hole.." ... potential security impact. ...
      (Vuln-Dev)