lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Jul 2003 16:16:32 +0200
From: Michael Renzmann <security@...anic.de>
To: bugtraq@...urityfocus.com
Subject: Re: Asus AAM6000EV ADSL Router Wide Open


Hi all.

I can confirm this behaviour for the following product:
Asus AAM 6330BI, firmware version 71238a11

This device is for example delivered by the german DSL-provider NetCologne.

cw wrote:
> If the inbuilt webserver is activated, anyone on the local network
> can get the full user/pass list from the router without any
> identification whatsoever by going to the ip address of the router
> and appending /userdata Example, say the ip address is 192.168.0.1,
> go to:
> 
> http://192.168.0.1/userdata

The format of the data that gets displayed there is:
<username>.<password>.<service class>.<status>.

The same data can be accessed by telnetting to the device and choosing 
the menu-path "System Maintenance / User Maintenance / List User" (6/5/4).

> Telnet to the router, enter the user mode console and then type
> "flashfs"
 > Type ls to see all configuration files accessible through this flaw.

In order to reach the command prompt where you can enter this command 
(amongst other) you have to choose option "9. Exit User Mode Console" 
from the main menu. "help" lists all available commands.

As mentioned by the original poster, use:
192.168.1.1> flashfs
192.168.1.1 flashfs> ls



Another password disclosure: in the above mentioned device there is a 
file "snmpinit". If it is accessed by the browser (for example with 
http://192.168.1.1/snmpinit ) the read and write community strings of 
the device's snmp interface will be shown. The content of every file 
also can be accessed with "cat", for example:

192.168.1.1 flashfs> cat snmpinit

With my own device, the data disclosed is of the following format:

access read <read community string>
access write <write community string>



It would be interesting to learn if it is possible for someone to use 
the HTTP-method "PUT" in order to change the content of the file 
"userdata" without having to know its content. I'm not brave enough to 
test it since I'm in need of a working DSL modem :)

Bye, Mike

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ