Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Asus AAM6000EV ADSL Router Wide Open
From: cw (securityfidei.co.uk)
Date: Tue Jul 15 2003 - 17:44:48 CDT
I was looking into the info provided by Michael Renzmann where he said:
"The same data can be accessed by telnetting to the device and choosing
the menu-path "System Maintenance / User Maintenance / List User" (6/5/4)."
On the AAM6000EV, the "User Maintenance" option is not under System Maintenance and I haven't spotted it anywhere else (though I haven't searched in depth).
What I did notice was that after using the web vulnerability to get the router username and password, an attacker could then go on to get the username and password for the internet account that the router is configured to use, hence potentially giving access to email and other services.
Use the menu path "System Maintenance > View All Configuration" (6,1)
Scan through the output for the following section:
Then look for the following line
1 welogin username password logintype
In the UK this can be very useful. People using BT ADSL will have a username that is usernamedomain.tld, for example a Freeserve user would likely be usernamefreeserve.co.uk
So not only does this allow you to get router access, but further poor configuration allows you to get all the details you need to access the hosts internet account.