lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 27 Mar 2003 16:27:07 +0000
From: <m.singh@...co.net>
To: Arhont Information Security <infosec@...ont.com>
Subject: Re: SNMP security issues in D-Link DSL Broadband Modem/Router


I told dlink about this problem last year Sepember. They told they will release a fix I have not see a fix. 
It looks like dlink will not be doing any thing about this problem. 

In futher I will post here as well. 

Thanks 

Malkit Singh

> 
> From: Arhont Information Security <infosec@...ont.com>
> Date: 2003/03/27 Thu PM 03:31:41 GMT
> To: bugtraq@...urityfocus.com
> Subject: SNMP security issues in D-Link DSL Broadband Modem/Router
> 
> 
> 
> Arhont Ltd	- 	Information Security Company
> 
> 
> 
> Arhont Advisory by:		Andrei Mikhailovsky (www.arhont.com)
> 
> Advisory:			D-Link DSL Broadband Modem/Router 
> 
> Router Model Name:		D-Link DSL-500
> 
> Model Specific:			Other models might be vulnerable as well
> 
> Manufacturer site:		http://www.dlink.com
> 
> Manufacturer contact (UK):	Tel: 0800 9175063 / 0845
> 
> 0800288		
> 
> Contact Date:			06/03/2003
> 
> 
> 
> DETAILS:
> 
> 
> 
> While performing a general security testing of a
> 
> network, we have found several security vulnerability
> 
> issues with the D-Link DSL Broadband Modem DSL-500
> 
> 
> 
> Issue 1:
> 
> The default router installation enables SNMP (Simple
> 
> Network Management Protocol) server with default
> 
> community names for read and read/write access. The
> 
> DSL-500 modem is configured alow SNMP access from the
> 
> WAN (Wide Area Network)/Internet side as well as from LAN.
> 
> 
> 
> andrei@...le:~/bugtraq/DSL-modems$ snmpwalk -Os -c
> 
> public 192.168.0.1 -v 1
> 
> sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
> 
> Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
> 
> Copyright (c) 2000 Dlink Corp.
> 
> sysObjectID.0 = OID: enterprises.171.10.30.1
> 
> sysUpTime.0 = Timeticks: (14246347) 1 day, 15:34:23.47
> 
> ...
> 
> ...
> 
> 
> 
> The community name: public 
> 
> 
> 
> allows read access to the mentioned devices, allowing
> 
> enumeration and gathering of sensitive network
> 
> information.  
> 
> 
> 
> The community name: private 
> 
> 
> 
> allows read/write access to devices, thus allowing
> 
> change of the network settings of the broadband modem.
> 
> 
> 
> Impact: This vulnerability allows local and internet
> 
> malicious attackers to retrieve and change network
> 
> settings of the modem.
> 
> 
> 
> Risk Factor: Medium/High
> 
> 
> 
> Possible Solutions:  Firewall UDP port 161 from LAN/WAN
> 
> sides, as it is not possible to disable SNMP service

> 
> from the web management interface.
> 
> 
> 
> Issue 2:
> 
> The ISP account information including login name and
> 
> password is stored on the modem without encryption,  It
> 
> is therefore possible to retrieve this information with
> 
> simple SNMP gathering utility such as snmpwalk:
> 
> 
> 
> andrei@...le:~/bugtraq/DSL-modems$ snmpwalk -Os -c
> 
> public 192.168.0.1 -v 1
> 
> sysDescr.0 = STRING: D-Link DSL-500 version 7.1.0.30
> 
> Annex-A (Nov 28 2002) R2.21.002.04.b2t18uk
> 
> ...
> 
> ...
> 
> ...
> 
> transmission.23.2.3.1.5.2.1 = STRING:
> 
> "username@...-provider"
> 
> ...
> 
> ...
> 
> transmission.23.2.3.1.6.2.1 = STRING: "password-string"
> 
> ...
> 
> ...
> 
> ... 
> 
> 
> 
> Impact: This vulnerability allows LAN and internet
> 
> malicious attackers to retrieve confidential information.
> 
> 
> 
> Risk Factor: Very High
> 
> 
> 
> Possible Solutions:  As a temporary solution you should
> 
> firewall UDP port 161 from LAN/WAN sides, as it is not
> 
> possible to disable SNMP service from the web
> 
> management interface.
> 
> 
> 
> According to the Arhont Ltd. policy, all of the found
> 
> vulnerabilities and security issues will be reported to
> 
> the manufacturer 7 days before releasing them to the
> 
> public domains (such as CERT and BUGTRAQ), unless
> 
> specifically requested by the manufacturer.
> 
> 
> 
> If you would like to get more information about this
> 
> issue, please do not hesitate to contact Arhont team at
> 
> infosec@...ont.com.
> 
> 
> 
> 
> 
> Kind Regards,
> 
> 
> 
> Andrei Mikhailovsky
> 
> Arhont Ltd
> 
> http://www.arhont.com
> 
> GnuPG Keyserver: blackhole.pca.dfn.de
> 
> GnuPG Key:	 0xFF67A4F4
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ