| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Sep 2004 14:47:31 +0200 From: Jimmy Scott <jimmy@...t-solutions.be> To: bugtraq@...urityfocus.com Subject: SMC7004VWBR / SMC7008ABR "spoofing" vulnerability. SMC7004VWBR / SMC7008ABR "spoofing" vulnerability. Background: ----------- When you visit the main page of the SMC7004VWBR, it checks if someone is already logged in (on IP basis!). If someone is logged in, it shows you the admin's IP, if not, or you have that IP, it displays you the login screen. When you visit a page other than the index, the router ONLY checks your IP to see if you are the admin (9 or 10 minutes timeout is a very long time if the admin did not press "log out" or if his connection "drops"). Disconnecting a wireless admin isn't that hard, even a wired one, and there are also possibilities that one crashes, reboots, shuts down. Or you could force your own IP packets to fool the router. Vulnerability: -------------- Either way, just change your own IP to the one of the admin that is broadcasted on the router (duplicate.htm), and directly visit: http://ip/setup_status.htm http://ip/status.HTM (SMC7008ABR) No big deal? On the SMC7004VWBR you could go to tools and backup the configuration. Open the configuration file you received with your favorite text-editor, scroll about one screen down, and read the password in CLEAR text near the word 'admin' .. or you could reset to factory defaults etc, but the password will be at more interest since most people reuse them elsewhere. On the other-hand, the SMC7008ABR does not have the password in the clear but the backup file can be downloaded without any kind of spoofing, it seems to have a lame hashing algorithm since only 1 byte in de 'user' field changes in the configuration file when changing the password, though, i could be wrong on this, but if I'm not, it would be possible to generate a list of 255 passwords that will cover every "hash" for the SMC7008ABR (and I'm not wasting my time on this to figure it out), imho it would be also be possible to restore the backup file on another router and brute force it. It is possible (and I'm quite sure) that other 7004/7008 series have vulnerabilities like this too, maybe even more series ... Vendor feedback: ---------------- The vendor responded positive to this and promised to provide a fix on these 2 routers, but they did not respond to my question when the fix will be available. Lost contact with them since last week and there is no fix available so far. Workaround provided by the vendor: ---------------------------------- -Set idle time to 1min. -Use MAC filtering so that only known MAC address can access your network. -Use WEP encryption for the wireless router. Additional steps: ----------------- Change your password to something unique since it still can be stolen by your evil husband etc. Detailed product information: ----------------------------- MODEL: SMC7004VWBR - Supplier Part No: 750.9925 - Sub Assy Number: 720.9925 - runtime: V1.00.014 MODEL: SMC7008ABR EU - part no: 750.5703 - Sub-assy no: 720.5432 - runtime: V1.42.003 Jimmy Scott -- UNIX System Engineer / Security Analyst PGP: http://pub.devbox.be/misc/gpg-jimmy.pub.asc FP: E81B C1F5 87E2 9096 45D3 D007 C206 A8F6 E483 B2AC
Powered by blists - more mailing lists