lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200404281255.17875.user86@earthlink.net>
Date: Wed, 28 Apr 2004 12:55:17 -0400
From: user86 <user86@...thlink.net>
To: bugtraq@...urityfocus.com
Subject: SMC Routers have remote administration enabled by default


Tested Model: 7008ABR (part number 750.9814 with firmware 1.032 installed)
Confirmed by another person on: 7004VBR (version 1, firmware 1.231)
Others may be vulnerable.

SMC broadband routers ship with remote administration enabled by default on 
their port 1900 on the WAN side of the router.  If you just pull one out of 
the box, plug it into your internet connection and go through the "Setup 
Wizard" then don't do anything beyond that point, port 1900 is open on the 
router and completely passwordless, allowing ANY arbitrary person to just 
visit http://1.2.3.4:1900/  where "1.2.3.4" is the router's external IP 
address and hit "Login" and have full control of the router.  This may allow 
an arbitrary person to expose the very machines being protected by the 
router.

Steps to reproduce:
1.  Reset the router to factory defaults, either by logging onto its remote 
administration page at http://192.168.2.1/ and clicking "Advanced Setup" then 
"Tools" then "Configuration Tools" then choose "Restore barricade to factory 
defaults" and click "Next."  Or by holding down the router's reset button 
with a paper clip for 30 seconds.

2.  After the router has been reset to factory defaults, visit its 
administration page at http://192.168.2.1/

3.  Click "login"

4.  Click "Setup Wizard" then "Next"

5.  Choose the appropriate connection type you have.

6.  When it is "connected" and you can web browse on the internet just fine 
behind it, go back to the router's administration page at http://192.168.2.1/

7.  Click "Advanced Setup" then "Status" and write down the router's WAN IP 
address.  (for example 1.2.3.4)

8.  Now using a computer that has a different external IP address (another 
machine on the internet), visit the router's port 1900 in your web browser 
http://1.2.3.4:1900/

You are then greeted with a login prompt.  Click "Login" and you have full 
control of the router remotely.  While you are there, click "Advanced Setup" 
and then "System" then "Remote Management" and you can verify "Remote 
Management" is supposedly disabled yet somehow you are *remotely* managing 
the device.


There are two workarounds:
1.  Enable the router's firewall in its "Advanced Setup"

2.  Forward port 1900 of the router to a non-existent internal IP address 
(such as 192.168.2.248 if it isn't in use).



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ