[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030715130134.GC9083@brucia.ulcc.ac.uk>
Date: Tue, 15 Jul 2003 14:01:34 +0100
From: Ben Wheeler <jammin@...e.eu.org>
To: bugtraq@...urityfocus.com
Subject: Re: Asus AAM6000EV ADSL Router Wide Open
On Mon, Jul 14, 2003 at 07:45:38PM +0100, cw wrote:
> Asus have been notified but haven't even acknowledged yet alone mentioned a fix.
>
> If the inbuilt webserver is activated, anyone on the local network
> can get the full user/pass list from the router without any identification
It's far worse than that, if the state in which my router was supplied is
typical. As I received it, the webserver was enabled by default, *and*
was accessible from the internet as well as the local network. I had to
explicitly set up ip_filter rules to restrict access (the same goes for
telnet access by the way). Worse, there was a bug which caused ip_filter
rules not to be saved properly, so they were not restored after a reset.
Fortunately this has been fixed in the last flash update (71205a32) but
this same update also removes the requirement to specify a username.
You now only need any one of the valid passwords to login. Asus really
don't seem to have a clue. Finding out what has changed between the flash
versions, either from them or from Solwise the UK distributors, is impossible.
It takes a particularly special kind of incompetence to keep the passwords
unencrypted and accessible via the webserver. I certainly won't be buying
another of their products.
The only workaround I know of is to set up ip_filter rules, which is way
beyond the capabilities of most home users (truthfully, quite a number
may not even have changed the default login password). I'm not aware of
any way to disable the httpd completely. Anyone?
Ben Wheeler
Powered by blists - more mailing lists