lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050715222511.GA21804@bumble.fullfactor.com>
Date: Fri, 15 Jul 2005 15:25:11 -0700
From: Ian Clelland <ian@...yfresh.com>
To: Steve Kemp <steve@...ve.org.uk>
Cc: m123303@...urityfocus.com, bugtraq@...urityfocus.com
Subject: Re: several vulnerabilities present in Belkin wireless routers


On Fri, Jul 15, 2005 at 04:37:10PM +0100, Steve Kemp wrote:
> On Fri, Jul 15, 2005 at 08:14:14AM -0000, m123303@...urityfocus.com wrote:
> 
> > The first problem is the existance of a default telnet backdoor
> > running on the usual 23/tcp port. From my experience, telnet
> > interfaces are NOT enabled by default in wireless routers but rather,
> > they usually need to be enabled from their administrative web
> > interfaces manually:
> > 
> > 
> > <Start of output>
> > 
> > Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-06-06
> > 18:34 BST
> > Initiating SYN Stealth Scan against BelkinModem.Belkin (192.168.2.1)
> 
> 
>   The obvious question to ask here, is "Can the telnet service be
>  connected to from the WAN side?".
> 
>   All the later content you present, whilst interesting, is of
>  less value if the attacker must be on the LAN side of the router.

I suspect that the router will not be found vulnerable from that side,
but the exploit becomes interesting again if users on the Wireless LAN
are granted the same level of trust as those on the wired LAN. None of
the wireless routers I've seen have made any distinction between those
two segments, and they all come with default administration passwords
(and no requirement for the user to change them).

Of course, this 'exploit' really looks like just another example of an
'insecure by default' consumer device, rather than an issue with the
firmware.

Regards,
Ian


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ