SMC7004VWBR / SMC7008ABR "spoofing" vulnerability.
SMC7004VWBR / SMC7008ABR "spoofing" vulnerability.
Background:
-----------
When you visit the main page of the SMC7004VWBR, it checks if someone
is already logged in (on IP basis!). If someone is logged in, it shows
you the admin's IP, if not, or you have that IP, it displays you the
login screen.
When you visit a page other than the index, the router ONLY checks your
IP to see if you are the admin (9 or 10 minutes timeout is a very long
time if the admin did not press "log out" or if his connection
"drops").
Disconnecting a wireless admin isn't that hard, even a wired one, and
there are also possibilities that one crashes, reboots, shuts down. Or
you could force your own IP packets to fool the router.
Vulnerability:
--------------
Either way, just change your own IP to the one of the admin that is
broadcasted on the router (duplicate.htm), and directly visit:
http://ip/setup_status.htm
http://ip/status.HTM (SMC7008ABR)
No big deal? On the SMC7004VWBR you could go to tools and backup the
configuration. Open the configuration file you received with your
favorite text-editor, scroll about one screen down, and read the
password in CLEAR text near the word 'admin' .. or you could reset to
factory defaults etc, but the password will be at more interest since
most people reuse them elsewhere. On the other-hand, the SMC7008ABR
does not have the password in the clear but the backup file can be
downloaded without any kind of spoofing, it seems to have a lame
hashing algorithm since only 1 byte in de 'user' field changes in the
configuration file when changing the password, though, i could be wrong
on this, but if I'm not, it would be possible to generate a list of 255
passwords that will cover every "hash" for the SMC7008ABR (and I'm not
wasting my time on this to figure it out), imho it would be also be
possible to restore the backup file on another router and brute force
it.
It is possible (and I'm quite sure) that other 7004/7008 series have
vulnerabilities like this too, maybe even more series ...
Vendor feedback:
----------------
The vendor responded positive to this and promised to provide a fix on
these 2 routers, but they did not respond to my question when the fix
will be available. Lost contact with them since last week and there is
no fix available so far.
Workaround provided by the vendor:
----------------------------------
-Set idle time to 1min.
-Use MAC filtering so that only known MAC address can access your
network.
-Use WEP encryption for the wireless router.
Additional steps:
-----------------
Change your password to something unique since it still can be stolen
by your evil husband etc.
Detailed product information:
-----------------------------
MODEL: SMC7004VWBR
- Supplier Part No: 750.9925
- Sub Assy Number: 720.9925
- runtime: V1.00.014
MODEL: SMC7008ABR EU
- part no: 750.5703
- Sub-assy no: 720.5432
- runtime: V1.42.003
Jimmy Scott
--
UNIX System Engineer / Security Analyst
PGP: http://pub.devbox.be/misc/gpg-jimmy.pub.asc
FP: E81B C1F5 87E2 9096 45D3 D007 C206 A8F6 E483 B2AC