NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2002-01

From: John Duksta (jdukstagenuity.com)
Date: Mon Jan 07 2002 - 08:07:31 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Matthew:

Are the Linksys devices accepting the SNMP packets on the
external interface? Granted, this is a pretty bad problem
in and of itself, but I would think not so bad if the Linksys
device is only accepting SNMP on the internal interface.

-john

-- 
John Duksta <jdukstagenuity.com>
Security Engineer  - Genuity
---------------------------------------------------------------------------
"Everything should be made as simple as possible but not simpler."
- A. Einstein
On Sun, 6 Jan 2002, Matthew S. Hallacy wrote:
> Howdy.
> 
> LinkSys DSL 'routers' have some serious information leakage, and potention DDoS
> usage. The following models have been confirmed as having this problem:
> BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch)
> BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch)
> 
> Querying these devices with the default community of 'public' causes them to set
> the address that queried as their snmptrap host, dumping traffic such as the
> following to that address:
> 
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 24.254.60.13[110]."
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 216.120.8.23[5632]."
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 216.120.8.3[5632]."
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 216.120.8.4[5632]."
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 216.120.8.5[5632]."
> Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "-->[U]Send OP:    ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9218583272 a .."
> Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "<--[U]Recv __:    ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\"\".0.."
> 
> It looks like a combination of debugging information as well as traffic logging, 
> many customers never use the configuration page, let alone change the SNMP 
> communities. To make the matter worse, LinkSys refuses to distribute an MIB
> for the device, which is not suprising considering the SNMP implementation
> on the device is rather broken (it goes into a continious loop).
> 
> 
> LinkSys is routing all messages regarding SNMP to /dev/null
> 
> 			Have a nice day.
> 			Matthew S. Hallacy
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]