Security Basics mailing list archives
RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet?
From: "David Gillett" <gillettdavid () fhda edu>
Date: Fri, 28 Jan 2005 09:34:32 -0800
I used severel IPs (as target, not as source) to telnet the router,
I didn't pick that up from your first message. How certain are you that these were all answered by the same single router?
all of them where, _at_the_time_ I used them, in use by a ISP customer which is located in the same building and visiting my website. All these IPs I tried are within the ISPs IP pool used for their customers (most of them ADSL and non in the same building I think).
I'm finding this a little difficult to picture. If I understand you correctly, the ISP has a pool of addresses to allocate to customers (dynamically?). At the time you were testing, a whole bunch of them had been allocated to a single customer in a single building. (That right there seems odd, unless they provide that customer with a dedicated pool -- in which case, those addresses would be reserved and never assigned to any other customer....)
So, I thought: - the IP (the router was reachable at) belonged to a PC somehow _within_ their network
It seems less likely that these addresses are all interfaces to the same router, than that there is a "port forward" configured which redirects a telnet connection directed at any of these addresses to a single place.
- there is no need for the ISP to use their _own_ IPs (as source IP) when remote administering (but maybe this provides a basic restriction of source IPs?)
My speculation is that they need to be able to use IPs besides their own, for whatever reason.
- why must the router be reachable _at_ (not from) some hundreds IP adresses (of their IP pool)?
If this is due to a port forward, the router may not give them a choice about that.
Is it common practice to admin a router by telnet from outside, exposing plain text password? Why not use ssh somehow? Is there no danger that anybody brute forces the router password and can disable internet access for all the ISPs customers?
Certainly SSH would be a better choice, IF the router supports it. While it's true that the Telnet password can be sniffed, they may argue that the people who have access to sniff it with any real hope of success are their own staff, many of whom probably already know it in order to do their jobs. The disconnect after three wrong tries makes it somwhat challenging to brute-force this password. The prompts look rather like those issued by many Cisco routers, on which that first password grants only limited read-only access and a second password may need to be broken to get more complete access. Can this router be locked down more securely? If not the current model, there are routers on the market which certainly could. Is the current configuration so easily exploitable that it constitutes an urgent threat to the ISP and its customers? Possibly, but the ISP doesn't seem to think so, and they *could* be right. I don't think you've quite proven them wrong yet, although you've made a pretty good start. David Gillett
Current thread:
- Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 27)
- RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? David Gillett (Jan 27)
- Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 28)
- RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? David Gillett (Jan 28)
- Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? John Doe (Jan 28)
- Re: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? david kuhlman (Jan 28)
- RE: Possible weird/insecure configuration of an ISP router exposed unfiltered to public internet? David Gillett (Jan 27)