Re: ckcool?

["Johan Denoyer" <jdenoy () dci 4mg com>]

PPL,

Read the following advisory for the password problem on the Linksys Router:

-----------------------------------------------
        [[:UPDATE hypoclear security advisory UPDATE:]]

Update Note: Thanks to the guys on the vuln-watch list who helped
             with a better solution!


Vendor   :  Linksys | http://www.linksys.com/
Product  :  EtherFast 4-Port Cable/DSL Router
Category :  Design Flaw
Date     :  08-02-01
Update   :  08-02-01

CONTENTS
1. Overview
2. Details
3. "Exploit"
4. Possible Solution
5. Vendor Response
6. Contact
7. Disclaimer


1. Overview:

The Linksys "EtherFast 4-Port Cable/DSL Router" is subject to a security
flaw in its
design.  Passwords for the router and the users ISP account can be viewed in
the HTML
source code stored on the router.



2. Details:

The login passwords for both the router and the users ISP are passed to the
routers
configuration  pages.  While they cannot be viewed directly in the browser
window the
passwords are in "cleartext" if viewed via the HTML source code.  This may
lead to a
compromise of the router and the users ISP account.  The pages in question
are index.htm,
which contains the users ISP logon and password, and Passwd.htm, which
contains the
password for the router.

If combined with a "sniffer" attack the source code (with passwords) can be
viewed during
transmission to the administrators browser.

(Note: The transmissions can only be "sniffed" within the LAN behind the
router.)



3. "Exploit"

There is no exploit code needed to exploit this vulnerability.  The
passwords are stored
and transmitted in "cleartext" within the HTML source.  The passwords can
easily be viewed
by sniffing the ethernet when an Administrator logs in and views the
offending pages.

Sections of offending code (code formatted for easier viewing):

On index.htm:

--- code cut ---
<b>User Name: &nbsp;</b></font><input name=pppoeUName size=20

maxlength=63 value=USERS_ISP_LOGIN_HERE>

</td></tr><tr><th bgcolor=6666cc>&nbsp;</th>
<td>&nbsp; &nbsp; <font face=verdana size=2><b>Password: &nbsp;
&nbsp;</b></font><input type=password name=pppoePWD size=20 maxlength=63

value=USERS_ISP_PASSWORD_HERE></td>

--- end code cut ---


On Passwd.htm:

--- code cut ---
<br>Router Password: &nbsp;</th><td> <br> &nbsp;
<input type=password name=sysPasswd size=25 maxlength=63

value=ROUTER_PASSWORD_HERE>

<font color=blue face=Arial size=2>
(Enter New Password)</td></tr> <tr><th bgcolor=6666cc align=right><font
color=white face=Arial size=2>&nbsp;</th> <td> &nbsp;
<input type=password name=sysPasswdConfirm size=25 maxlength=63

value=CONFIRM_OF_ROUTER_PASSWORD_HERE>

--- end code cut ---



4. Possible Solution

A suggested solution for this problem is to not transmit the passwords to
the offending
pages. Instead, keep them stored in the router, and only allow for the
update of
passwords on the pages (if desired by the user).

This particular solution is not possible without a vendor patch.
There has been no resopnse from Linksys.


Another solution has been given by weld on the vuln-watch list.

He states:
"I would say the solution is to only admin the router from a workstation
that
is directly connected to one of the switch ports and to add a static arp
cache
entry for the router on the workstation.  That will deny any arp cache
poisioning
which would work to sniff across the switch."



5. Vendor Response

07-23-01: Sent problem to Linksys via the email address support () linksys com.
          No security email address could be found on their web-site.
          The email stated the problem and a possible solution.

07-30-01: No response was givin to the initial email, so a second email was
sent.
          The email stated that I had already tried to contact them over a
week ago,
          and if no response was givin in the next few days I would release
the advisory.

08-02-01: At the time of the release of this advisory, Linksys has not
responded.



6. Contact

Written by hypoclear.
email     : hypoclear () jungle net
home page : http://hypoclear.cjb.net


7. Disclaimer

This advisory remains the property of hypoclear.
This advisory can be freely distributed in any form.
If this advisory is distributed it must remain in its entirety.

This and all of hypoclear's releases fall under his disclaimer,
which can be found at: http://hypoclear.cjb.net/hypodisclaim.txt

----------------------------------------------------------------------------
--

Latter,Johan DenoyerLiberty-NetSystem and Network
Administratorhttp://www.liberty-net.org
----- Original Message -----
From: "Bob Maccione" <Bob_Maccione () hilton com>
To: <incidents () securityfocus com>
Sent: Tuesday, February 19, 2002 3:45 PM
Subject: ckcool?


> I have a friend that got hacked running linux.  Luckly it's an inmature
> enough hack that the mess left behind told me what happened.  In this case
a
> user was created called 'ckcool' and then a rootkit was thrown down.  I'm
> going to get the disk from him to see what all was done but one thing
> puzzled me.  It seems that the password on the Linksys firewall/router was
> also changed.
>
> Has anyone seen/heard of any vulnerabilities in the Linksys Cable/DSL
> router/firewalls?
>
> thanks
> bob
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com