lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.SOL.4.61.0508131053150.28728@bulgaria.public-internet.org>
Date: Sat, 13 Aug 2005 10:58:32 +0100 (BST)
From: Tim Brown <securityfocus@...hine.org.uk>
To: bugtraq@...urityfocus.com
Subject: Low security hole affecting Mentor's ADSLFR4II router


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've found a number of low risk issues with Mentor's ADSLFR4II router. I
initially spoke to them on the 20th July, passing them full details of my
findings on the 21st of July. I then emailed them again on the 4th of
August asking for an update and notifying them of my intent to publish
after close of business on the 11th of August unless I recieved adequate
assurance that they were working on these issues. As it stands, I've had
no contact since the 21st July and therefore have decided to publish this
warning:

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20050719)
Date: 19th July 2005
Author: Tim Brown <mailto:timb@...-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: ADSL-FR4II router (firmware v.2.00.0111 2004.04.09)
<http://www.bona.com.tw:8080/product/ADSL-FR4II.htm>
Vendor: Mentor <http://www.bona.com.tw/>
Risk: Low

Summary

This product has 4 vulnerabilities.

1) An undocumented port 5678/tcp is open on the internal interface,
which allows access to the web application used to administer the
router.

2) There is no default password configured for the web application
user to administer the router.

3) The routers state table for active TCP connections to the device
is such that a simple scan of all ports will prevent the router
responding to valid connections to open TCP ports.

4) Backup configuration files downloaded from the router contain
the administrative password for the web application used to configure
the router in plain text.

Technical Details

1) Connecting to port 5678/tcp on the routers internal IP with a web
browser presents the same web application as can be found on port
80/tcp. It may therefore be possible to access the application even
where internal firewalls are blocking access to port 80/tcp. This
would be of particular concern if there is another password that
will allow access to the application in a similar manner to that
described in http://www.securityfocus.com/bid/12507.

2) By default, the web appplication used to administer the router
does not have a password configured. If a password is not configured
then in combination with vulnerability 1 it may be possible to
compromise the router.

3) Running scanrand <ip>:all will prevent the router responding to
valid connections to open TCP ports on either the external or internal
interface, most likely due to the state table becoming full.

4) Running strings over backup configuration files downloaded from
the router reveals the administrative password for the web application
used to configure the router in plain text. If a system holding
one of these backup configuration files is compromised then it may be
possible to compromise the router.

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues
at the current time.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (SunOS)

iD8DBQFC3hHaVAlO5exu9x8RAsVHAKCzO9cRj7jUhD2m7FPmQZMK3SQkUgCeOmsV
yJKqMejxWUt+ePJMDKannIk=
=QM8X
- -----END PGP SIGNATURE-----

Cheers,
Tim
- --
Tim Brown
<mailto:securityfocus@...hine.org.uk>
<http://www.machine.org.uk/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (SunOS)

iD8DBQFC/cRQVAlO5exu9x8RAn+EAKC/BQ3owGUPGYCyutevIkMFUmJTJACdGB/D
YWL9/ly6LP4js4pe9pEzr6M=
=ZGzr
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ