Low security hole affecting Mentor's ADSLFR4II router

[Tim Brown <netsys () machine org uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've found a number of low risk issues with Mentor's ADSLFR4II router. I
initially spoke to them on the 20th July, passing them full details of my
findings on the 21st of July. I then emailed them again on the 4th of
August asking for an update and notifying them of my intent to publish
after close of business on the 11th of August unless I recieved adequate
assurance that they are working on these issues. As it stands, I've had
no contact since the 21st July and therefore have decided to publish this
warning:

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20050719)
Date: 19th July 2005
Author: Tim Brown <mailto:timb () nth-dimension org uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: ADSL-FR4II router (firmware v.2.00.0111 2004.04.09)
<http://www.bona.com.tw:8080/product/ADSL-FR4II.htm>
Vendor: Mentor <http://www.bona.com.tw/>
Risk: Low

Summary

This product has 4 vulnerabilities.

1) An undocumented port 5678/tcp is open on the internal interface,
which allows access to the web application used to administer the
router.

2) There is no default password configured for the web application
user to administer the router.

3) The routers state table for active TCP connections to the device
is such that a simple scan of all ports will prevent the router
responding to valid connections to open TCP ports.

4) Backup configuration files downloaded from the router contain
the administrative password for the web application used to configure
the router in plain text.

Technical Details

1) Connecting to port 5678/tcp on the routers internal IP with a web
browser presents the same web application as can be found on port
80/tcp. It may therefore be possible to access the application even
where internal firewalls are blocking access to port 80/tcp. This
would be of particular concern if there is another password that
will allow access to the application in a similar manner to that
described in http://www.securityfocus.com/bid/12507.

2) By default, the web appplication used to administer the router
does not have a password configured. If a password is not configured
then in combination with vulnerability 1 it may be possible to
compromise the router.

3) Running scanrand <ip>:all will prevent the router responding to
valid connections to open TCP ports on either the external or internal
interface, most likely due to the state table becoming full.

4) Running strings over backup configuration files downloaded from
the router reveals the administrative password for the web application
used to configure the router in plain text. If a system holding
one of these backup configuration files is compromised then it may be
possible to compromise the router.

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues
at the current time.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (SunOS)

iD8DBQFC3hHaVAlO5exu9x8RAsVHAKCzO9cRj7jUhD2m7FPmQZMK3SQkUgCeOmsV
yJKqMejxWUt+ePJMDKannIk=
=QM8X
- -----END PGP SIGNATURE-----

Cheers,
Tim
- --
Tim Brown
<mailto:netsys () machine org uk>
<http://www.machine.org.uk/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (SunOS)

iD8DBQFC/cYSVAlO5exu9x8RArifAKCy5fVgX5ZtR6ZG+U7gRO6Mr5d/sQCgntRS
wxrjcpmjXiW8mxy6BNVrb2E=
=icxb
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/