Bugtraq mailing list archives
Re: SNMP community string disclosure in Linksys WAP55AG
From: "Robbie Stone" <robbie () serendipity palo-alto ca us>
Date: Thu, 19 Feb 2004 22:06:19 -0000
Simply requiring a valid read-only community string to obtain a read-write string is not sufficient enough protection. It is possible to expose a read-only community string through a packet broadcast on an unpopulated arp table on a switch, thus expose the entire unit to attack. The owner may not even wish to update any data via SNMP, but simply walking the table with a read-only string will allow any attacker to do so. Can anyone confirm if the strings are writable via the read-write community string? If an attacker was able to change the configuration and then lock-out the remote administration capabilities it would create quite a nuisance, especially if the access point is in a remote location. Robbie
On Wed, 17 Feb 2004, NN Poster wrote:Linksys WAP55AG does not properly secure SNMP community strings. In
particular, it is possible to obtain all community strings, including read/write, by querying OID 1.3.6.1.4.1.3955.2.1.13.1.2.
1.3.6.1.4.1.3955.2.1.13.1.2.1 = STRING: "public" 1.3.6.1.4.1.3955.2.1.13.1.2.2 = STRING: "private" Verified on WAP55AG, firmware 1.07But ... Can you obtain this information without a valid community string? Hugo. -- All email sent to me is bound to the rules described on my homepage. hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/ Don't meddle in the affairs of sysadmins, for they are subtle and quick to anger.
--
Current thread:
- SNMP community string disclosure in Linksys WAP55AG NN Poster (Feb 18)
- Re: SNMP community string disclosure in Linksys WAP55AG Hugo van der Kooij (Feb 19)
- Re: SNMP community string disclosure in Linksys WAP55AG Robbie Stone (Feb 20)
- <Possible follow-ups>
- Re: SNMP community string disclosure in Linksys WAP55AG Nicolai van der Smagt (Feb 20)
- Re: SNMP community string disclosure in Linksys WAP55AG Hugo van der Kooij (Feb 19)