Bugtraq mailing list archives
Advisory: Netopia R9100 router vulnerability
From: friedl () MTNDEW COM (Stephen Friedl)
Date: Mon, 8 May 2000 13:54:17 -0700
Security Advisory: Netopia R9100 DSL router
By: Stephen Friedl (steve () unixwiz net)
Date: 8 May 2000
Short summary:
The Netopia R9100 permits a user not authorized with a
special security password to neverthless modify the SNMP
community strings, including enabling SNMP access that should
be disabled.
Device Summary:
The Netopia R9100 is an Ethernet-to-Ethernet router intended
mainly for the DSL and cable modem markets, and it supports
NAT and various kinds of tunneling. It is managed with telnet,
HTTP, and with SNMP from either the inside or the outside
Ethernet interfaces.
Product information on this device can be found at:
http://www.netopia.com/equipment/routers/r9100/
One of the many setup screens permits the setting of SNMP
community names, both RO and RW, and setting the entries
to blanks effectively disables SNMP access. The security
setup screen (which requires a separate password from that
used during login) can be configured to restrict access to
any of the SNMP screens.
Vulnerability:
The R9100 has a command-line mode that is reached by typing
control-N after the user has passed the initial login test.
At the "#" prompt one can then do most management of the device.
This includes the setting of SNMP community strings in spite
of the limitation imposed by the administrator:
# set snmp community RO wookie
or
# set snmp community RW wookie
Impact:
Relatively low. The exploit can only be attempted by those
with existing access login to the device, and it doesn't seem
terribly common to have users allowed to manage nearly everything
except the SNMP strings.
Workaround:
Deny access to users who can't be trusted.
Versions Tested:
v4.6.2 (the latest) is the only version tested. Older
versions probably vulnerable also.
Other similar Netopia products possibly vulnerable also
Response from Netopia:
The new behavior will be when SNMP access is disabled in the
Security screen, and an attempt is made to configure the SNMP
read-write string via the Command Line and Telnet, the user
will get an error: -400 Access Denied.
This fix will be in the next release of firmware, version 4.7
(approx. end of May)
Steve
---
Stephen J Friedl|Software Consultant|Tustin, CA| +1 714 544-6561
3B2-kind-of-guy |I speak for me only| KA8CMY |steve () unixwiz net
Current thread:
- Re: glibc resolver weakness Steven M. Bellovin (May 03)
- Re: glibc resolver weakness D. J. Bernstein (May 06)
- Re: glibc resolver weakness Gary Ellison (May 08)
- AOL Instant Messenger Daniel P. Stasinski (May 08)
- Re: AOL Instant Messenger Oppenheimer, Max (May 09)
- New Allaire Security Zone Bulletin Posted Aleph One (May 08)
- Advisory: Netopia R9100 router vulnerability Stephen Friedl (May 08)
- Re: Advisory: Netopia R9100 router vulnerability Gary L. Burnore (May 09)
- Re: Advisory: Netopia R9100 router vulnerability Rob Tashjian (May 10)
- Microsoft Security Bulletin (MS00-031) Microsoft Product Security (May 10)
- Re: Advisory: Netopia R9100 router vulnerability Jeffrey Paul (May 13)
- "ClientSideTrojan" bug Kragen Sitaker (May 09)
- Re: "ClientSideTrojan" bug David L. Nicol (May 11)
- Re: "ClientSideTrojan" bug Magosanyi Arpad (May 16)
- BUFFER OVERRUN VULNERABILITIES IN KERBEROS Jeffrey I. Schiller (May 16)
- Re: BUFFER OVERRUN VULNERABILITIES IN KERBEROS Kris Kennaway (May 18)
- antisniff x86/linux remote root exploit, including "fixed" 1.02 version Sebastian (May 16)
- Re: Advisory: Netopia R9100 router vulnerability Gary L. Burnore (May 09)