OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: hypoclear (hypoclearjungle.net)
Date: Thu Aug 02 2001 - 13:37:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I have updated my original advisory to reflect a
    better solution due to feedback on the vuln-watch
    list.

    The attached advisory can also be found at:
    http://hypoclear.cjb.net/hypo_linksys_advisory.txt

    hypoclear - hypoclearjungle.net -
    http://hypoclear.cjb.net

    ---

            [[:UPDATE hypoclear security advisory
    UPDATE:]]

    Update Note: Thanks to the guys on the vuln-watch
    list who helped
                 with a better solution!


    Vendor : Linksys | http://www.linksys.com/
    Product : EtherFast 4-Port Cable/DSL Router
    Category : Design Flaw
    Date : 08-02-01
    Update : 08-02-01

    CONTENTS
    1. Overview
    2. Details
    3. "Exploit"
    4. Possible Solution
    5. Vendor Response
    6. Contact
    7. Disclaimer


    1. Overview:

    The Linksys "EtherFast 4-Port Cable/DSL Router" is
    subject to a security flaw in its
    design. Passwords for the router and the users
    ISP account can be viewed in the HTML
    source code stored on the router.



    2. Details:

    The login passwords for both the router and the
    users ISP are passed to the routers
    configuration pages. While they cannot be viewed
    directly in the browser window the
    passwords are in "cleartext" if viewed via the
    HTML source code. This may lead to a
    compromise of the router and the users ISP
    account. The pages in question are index.htm,
    which contains the users ISP logon and password,
    and Passwd.htm, which contains the
    password for the router.

    If combined with a "sniffer" attack the source
    code (with passwords) can be viewed during
    transmission to the administrators browser.

    (Note: The transmissions can only be "sniffed"
    within the LAN behind the router.)



    3. "Exploit"

    There is no exploit code needed to exploit this
    vulnerability. The passwords are stored
    and transmitted in "cleartext" within the HTML
    source. The passwords can easily be viewed
    by sniffing the ethernet when an Administrator
    logs in and views the offending pages.

    Sections of offending code (code formatted for
    easier viewing):

    On index.htm:

    --- code cut ---
    <b>User Name: &nbsp;</b></font><input
    name=pppoeUName size=20

    maxlength=63 value=USERS_ISP_LOGIN_HERE>

    </td></tr><tr><th bgcolor=6666cc>&nbsp;</th>
    <td>&nbsp; &nbsp; <font face=verdana
    size=2><b>Password: &nbsp;
    &nbsp;</b></font><input type=password
    name=pppoePWD size=20 maxlength=63

    value=USERS_ISP_PASSWORD_HERE></td>

    --- end code cut ---


    On Passwd.htm:

    --- code cut ---
    <br>Router Password: &nbsp;</th><td> <br> &nbsp;
    <input type=password name=sysPasswd size=25
    maxlength=63

    value=ROUTER_PASSWORD_HERE>

    <font color=blue face=Arial size=2>
    (Enter New Password)</td></tr> <tr><th
    bgcolor=6666cc align=right><font
    color=white face=Arial size=2>&nbsp;</th> <td>
    &nbsp;
    <input type=password name=sysPasswdConfirm size=25
    maxlength=63

    value=CONFIRM_OF_ROUTER_PASSWORD_HERE>

    --- end code cut ---



    4. Possible Solution

    A suggested solution for this problem is to not
    transmit the passwords to the offending
    pages. Instead, keep them stored in the router,
    and only allow for the update of
    passwords on the pages (if desired by the user).

    This particular solution is not possible without a
    vendor patch.
    There has been no resopnse from Linksys.


    Another solution has been given by weld on the
    vuln-watch list.

    He states:
    "I would say the solution is to only admin the
    router from a workstation that
    is directly connected to one of the switch ports
    and to add a static arp cache
    entry for the router on the workstation. That
    will deny any arp cache poisioning
    which would work to sniff across the switch."



    5. Vendor Response

    07-23-01: Sent problem to Linksys via the email
    address supportlinksys.com.
              No security email address could be found
    on their web-site.
              The email stated the problem and a
    possible solution.

    07-30-01: No response was givin to the initial
    email, so a second email was sent.
              The email stated that I had already
    tried to contact them over a week ago,
              and if no response was givin in the next
    few days I would release the advisory.

    08-02-01: At the time of the release of this
    advisory, Linksys has not responded.



    6. Contact

    Written by hypoclear.
    email : hypoclearjungle.net
    home page : http://hypoclear.cjb.net


    7. Disclaimer

    This advisory remains the property of hypoclear.
    This advisory can be freely distributed in any
    form.
    If this advisory is distributed it must remain in
    its entirety.

    This and all of hypoclear's releases fall under
    his disclaimer,
    which can be found at:
    http://hypoclear.cjb.net/hypodisclaim.txt