Belkin F5D6130 Wireless Network Access Point SNMP Request Denial Of Service Vulnerability

["wlanman" <wlanman () hoobie net>]

Just picked one of these AP's up the other day and during a quick fiddle
noticed a remote DoS.

It is possible to disable the Belkin F5D6130 802.11b AP by issuing a small
number of SNMP GetNextRequest requests to the AP.

The attack results in the AP dropping all wireless connections and ceasing
to accept any new connections, the wireless activity LED will stop blinking.
The AP will also stop responding to all IP traffic on it's ethernet
interface thus rendering the device unmanageable. The device will require
power cycling to resume correct operation.

The SNMP community name used in the requests is irrelevant. The device will
respond to the SNMP requests by broadcasting one or more SNMP traps and then
cease to function. This behaviour appears to be fairly consistent. The
attack takes a little longer if performed from a wireless system associated
to the target AP and may result in a loss of wireless connectivity only,
leaving the IP stack of the AP intact.

Snmpwalk may readily be used to test for this vulnerability as follows:
        'snmpwalk x.x.x.x goodnight'         (where x.x.x.x is the IP address of the
AP)
Occasionally must be run a couple of times in which case try specifying a
few different objectIDs.

This has been tested on a number of Belkin F5D6130 APs with the current
factory shipped firmware 1.4g.8.
It is not known if other firmware versions are affected or indeed if
differently branded AP devices using the same hardware are vulnerable.

regards

wlanman  <wlanman () hoobie net>

26th August 2002