BugTraq
SMC Routers have remote administration enabled by default Apr 28 2004 04:55PM
user86 (user86 earthlink net) (3 replies)
Re: SMC Routers have remote administration enabled by default Apr 29 2004 05:10AM
user86 (user86 earthlink net) (1 replies)
Re: SMC Routers have remote administration enabled by default Apr 29 2004 05:37AM
user86 (user86 earthlink net)
Re: SMC Routers have remote administration enabled by default Apr 29 2004 02:25AM
Michael Curtis (email curto us)
Re: SMC Routers have remote administration enabled by default Apr 29 2004 12:40AM
Martin Nedbal (awe centrum cz)
Hello guys,
I made little research over UPC network in my country and the discoveries
are more than alarming - 90% of users have the firewall disabled. The next
thing is that some routers from Edimax and Planet are apparently using
almost the same firmware - including with mentioned bugs, of course. It's
the users of those soho routers who're not reading buqtraq at all, I'll
suggest UPC doing some campaign about security.

Martin.

----- Original Message -----
From: "user86" <user86 (at) earthlink (dot) net [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, April 28, 2004 6:55 PM
Subject: SMC Routers have remote administration enabled by default

> Tested Model: 7008ABR (part number 750.9814 with firmware 1.032 installed)
> Confirmed by another person on: 7004VBR (version 1, firmware 1.231)
> Others may be vulnerable.
>
> SMC broadband routers ship with remote administration enabled by default
on
> their port 1900 on the WAN side of the router. If you just pull one out
of
> the box, plug it into your internet connection and go through the "Setup
> Wizard" then don't do anything beyond that point, port 1900 is open on the
> router and completely passwordless, allowing ANY arbitrary person to just
> visit http://1.2.3.4:1900/ where "1.2.3.4" is the router's external IP
> address and hit "Login" and have full control of the router. This may
allow
> an arbitrary person to expose the very machines being protected by the
> router.
>
> Steps to reproduce:
> 1. Reset the router to factory defaults, either by logging onto its
remote
> administration page at http://192.168.2.1/ and clicking "Advanced Setup"
then
> "Tools" then "Configuration Tools" then choose "Restore barricade to
factory
> defaults" and click "Next." Or by holding down the router's reset button
> with a paper clip for 30 seconds.
>
> 2. After the router has been reset to factory defaults, visit its
> administration page at http://192.168.2.1/
>
> 3. Click "login"
>
> 4. Click "Setup Wizard" then "Next"
>
> 5. Choose the appropriate connection type you have.
>
> 6. When it is "connected" and you can web browse on the internet just
fine
> behind it, go back to the router's administration page at
http://192.168.2.1/
>
> 7. Click "Advanced Setup" then "Status" and write down the router's WAN
IP
> address. (for example 1.2.3.4)
>
> 8. Now using a computer that has a different external IP address (another
> machine on the internet), visit the router's port 1900 in your web browser
> http://1.2.3.4:1900/
>
> You are then greeted with a login prompt. Click "Login" and you have full
> control of the router remotely. While you are there, click "Advanced
Setup"
> and then "System" then "Remote Management" and you can verify "Remote
> Management" is supposedly disabled yet somehow you are *remotely* managing
> the device.
>
>
> There are two workarounds:
> 1. Enable the router's firewall in its "Advanced Setup"
>
> 2. Forward port 1900 of the router to a non-existent internal IP address
> (such as 192.168.2.248 if it isn't in use).
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus