SMC7004VWBR / SMC7008ABR "spoofing" vulnerability.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SMC7004VWBR / SMC7008ABR "spoofing" vulnerability.
From: Jimmy Scott <jimmy@xxxxxxxxxxxxxxxxx>
Date: Wed, 15 Sep 2004 14:47:31 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

SMC7004VWBR / SMC7008ABR "spoofing" vulnerability.

Background:
-----------

When you visit the main page of the SMC7004VWBR, it checks if someoneis already logged in (on IP basis!). If someone is logged in, it showsyou the admin's IP, if not, or you have that IP, it displays you thelogin screen.

When you visit a page other than the index, the router ONLY checks yourIP to see if you are the admin (9 or 10 minutes timeout is a very longtime if the admin did not press "log out" or if his connection"drops").

Disconnecting a wireless admin isn't that hard, even a wired one, andthere are also possibilities that one crashes, reboots, shuts down. Oryou could force your own IP packets to fool the router.


Vulnerability:
--------------

Either way, just change your own IP to the one of the admin that isbroadcasted on the router (duplicate.htm), and directly visit:


http://ip/setup_status.htm
http://ip/status.HTM (SMC7008ABR)

No big deal? On the SMC7004VWBR you could go to tools and backup theconfiguration. Open the configuration file you received with yourfavorite text-editor, scroll about one screen down, and read thepassword in CLEAR text near the word 'admin' .. or you could reset tofactory defaults etc, but the password will be at more interest sincemost people reuse them elsewhere. On the other-hand, the SMC7008ABRdoes not have the password in the clear but the backup file can bedownloaded without any kind of spoofing, it seems to have a lamehashing algorithm since only 1 byte in de 'user' field changes in theconfiguration file when changing the password, though, i could be wrongon this, but if I'm not, it would be possible to generate a list of 255passwords that will cover every "hash" for the SMC7008ABR (and I'm notwasting my time on this to figure it out), imho it would be also bepossible to restore the backup file on another router and brute forceit.

It is possible (and I'm quite sure) that other 7004/7008 series havevulnerabilities like this too, maybe even more series ...


Vendor feedback:
----------------

The vendor responded positive to this and promised to provide a fix onthese 2 routers, but they did not respond to my question when the fixwill be available. Lost contact with them since last week and there isno fix available so far.


Workaround provided by the vendor:
----------------------------------

-Set idle time to 1min.

-Use MAC filtering so that only known MAC address can access yournetwork.

-Use WEP encryption for the wireless router.

Additional steps:
-----------------

Change your password to something unique since it still can be stolenby your evil husband etc.


Detailed product information:
-----------------------------

MODEL: SMC7004VWBR
- Supplier Part No: 750.9925
- Sub Assy Number: 720.9925
- runtime: V1.00.014

MODEL: SMC7008ABR EU
- part no: 750.5703
- Sub-assy no: 720.5432
- runtime: V1.42.003


Jimmy Scott

--
UNIX System Engineer / Security Analyst
PGP: http://pub.devbox.be/misc/gpg-jimmy.pub.asc
FP: E81B C1F5 87E2 9096 45D3  D007 C206 A8F6 E483 B2AC

Prev by Date: Microsoft Office WordPerfect Converter Buffer Overflow Vulnerability
Next by Date: PHP Vulnerability N. 1
Previous by thread: Microsoft Office WordPerfect Converter Buffer Overflow Vulnerability
Next by thread: PHP Vulnerability N. 1
Index(es):
- Date
- Thread