SMC7004VWBR / SMC7008ABR "spoofing" vulnerability.

Background:
-----------

When you visit the main page of the SMC7004VWBR, it checks if someone 
is already logged in (on IP basis!). If someone is logged in, it shows 
you the admin's IP, if not, or you have that IP, it displays you the 
login screen.

When you visit a page other than the index, the router ONLY checks your 
IP to see if you are the admin (9 or 10 minutes timeout is a very long 
time if the admin did not press "log out" or if his connection 
"drops").

Disconnecting a wireless admin isn't that hard, even a wired one, and 
there are also possibilities that one crashes, reboots, shuts down. Or 
you could force your own IP packets to fool the router.

Vulnerability:
--------------

Either way, just change your own IP to the one of the admin that is 
broadcasted on the router (duplicate.htm), and directly visit:

http://ip/setup_status.htm
http://ip/status.HTM (SMC7008ABR)

No big deal? On the SMC7004VWBR you could go to tools and backup the 
configuration. Open the configuration file you received with your 
favorite text-editor, scroll about one screen down, and read the 
password in CLEAR text near the word 'admin' .. or you could reset to 
factory defaults etc, but the password will be at more interest since 
most people reuse them elsewhere. On the other-hand, the SMC7008ABR 
does not have the password in the clear but the backup file can be 
downloaded without any kind of spoofing, it seems to have a lame 
hashing algorithm since only 1 byte in de 'user' field changes in the 
configuration file when changing the password, though, i could be wrong 
on this, but if I'm not, it would be possible to generate a list of 255 
passwords that will cover every "hash" for the SMC7008ABR (and I'm not 
wasting my time on this to figure it out), imho it would be also be 
possible to restore the backup file on another router and brute force 
it.

It is possible (and I'm quite sure) that other 7004/7008 series have 
vulnerabilities like this too, maybe even more series ...

Vendor feedback:
----------------

The vendor responded positive to this and promised to provide a fix on 
these 2 routers, but they did not respond to my question when the fix 
will be available. Lost contact with them since last week and there is 
no fix available so far.

Workaround provided by the vendor:
----------------------------------

-Set idle time to 1min.
-Use MAC filtering so that only known MAC address can access your 
network.
-Use WEP encryption for the wireless router.

Additional steps:
-----------------

Change your password to something unique since it still can be stolen 
by your evil husband etc.

Detailed product information:
-----------------------------

MODEL: SMC7004VWBR
- Supplier Part No: 750.9925
- Sub Assy Number: 720.9925
- runtime: V1.00.014

MODEL: SMC7008ABR EU
- part no: 750.5703
- Sub-assy no: 720.5432
- runtime: V1.42.003


Jimmy Scott

--
UNIX System Engineer / Security Analyst
PGP: http://pub.devbox.be/misc/gpg-jimmy.pub.asc
FP: E81B C1F5 87E2 9096 45D3  D007 C206 A8F6 E483 B2AC