Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

hypo_linksys_advisory.txt

🗓️ 02 Aug 2001 00:00:00Reported by HypoclearType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 29 Views

Linksys router exposes passwords in HTML source, risking user and ISP account security.

Code
` [[:UPDATE hypoclear security advisory UPDATE:]]  
  
Update Note: Thanks to the guys on the vuln-watch list who helped  
with a better solution!  
  
  
Vendor : Linksys | http://www.linksys.com/  
Product : EtherFast 4-Port Cable/DSL Router  
Category : Design Flaw  
Date : 08-02-01  
Update : 08-02-01  
  
CONTENTS  
1. Overview  
2. Details  
3. "Exploit"  
4. Possible Solution  
5. Vendor Response  
6. Contact  
7. Disclaimer  
  
  
1. Overview:  
  
The Linksys "EtherFast 4-Port Cable/DSL Router" is subject to a security flaw in its  
design. Passwords for the router and the users ISP account can be viewed in the HTML  
source code stored on the router.  
  
  
  
2. Details:  
  
The login passwords for both the router and the users ISP are passed to the routers   
configuration pages. While they cannot be viewed directly in the browser window the   
passwords are in "cleartext" if viewed via the HTML source code. This may lead to a   
compromise of the router and the users ISP account. The pages in question are index.htm,   
which contains the users ISP logon and password, and Passwd.htm, which contains the   
password for the router.  
  
If combined with a "sniffer" attack the source code (with passwords) can be viewed during   
transmission to the administrators browser.  
  
(Note: The transmissions can only be "sniffed" within the LAN behind the router.)  
  
  
  
3. "Exploit"  
  
There is no exploit code needed to exploit this vulnerability. The passwords are stored  
and transmitted in "cleartext" within the HTML source. The passwords can easily be viewed  
by sniffing the ethernet when an Administrator logs in and views the offending pages.  
  
Sections of offending code (code formatted for easier viewing):  
  
On index.htm:  
  
--- code cut ---  
<b>User Name: &nbsp;</b></font><input name=pppoeUName size=20   
  
maxlength=63 value=USERS_ISP_LOGIN_HERE>  
  
</td></tr><tr><th bgcolor=6666cc>&nbsp;</th>  
<td>&nbsp; &nbsp; <font face=verdana size=2><b>Password: &nbsp;  
&nbsp;</b></font><input type=password name=pppoePWD size=20 maxlength=63   
  
value=USERS_ISP_PASSWORD_HERE></td>  
  
--- end code cut ---  
  
  
On Passwd.htm:  
  
--- code cut ---  
<br>Router Password: &nbsp;</th><td> <br> &nbsp;   
<input type=password name=sysPasswd size=25 maxlength=63   
  
value=ROUTER_PASSWORD_HERE>  
  
<font color=blue face=Arial size=2>   
(Enter New Password)</td></tr> <tr><th bgcolor=6666cc align=right><font  
color=white face=Arial size=2>&nbsp;</th> <td> &nbsp;   
<input type=password name=sysPasswdConfirm size=25 maxlength=63   
  
value=CONFIRM_OF_ROUTER_PASSWORD_HERE>  
  
--- end code cut ---  
  
  
  
4. Possible Solution  
  
A suggested solution for this problem is to not transmit the passwords to the offending  
pages. Instead, keep them stored in the router, and only allow for the update of  
passwords on the pages (if desired by the user).  
  
This particular solution is not possible without a vendor patch.   
There has been no resopnse from Linksys.  
  
  
Another solution has been given by weld on the vuln-watch list.  
  
He states:  
"I would say the solution is to only admin the router from a workstation that  
is directly connected to one of the switch ports and to add a static arp cache  
entry for the router on the workstation. That will deny any arp cache poisioning  
which would work to sniff across the switch."  
  
  
  
5. Vendor Response  
  
07-23-01: Sent problem to Linksys via the email address [email protected].   
No security email address could be found on their web-site.  
The email stated the problem and a possible solution.  
  
07-30-01: No response was givin to the initial email, so a second email was sent.  
The email stated that I had already tried to contact them over a week ago,  
and if no response was givin in the next few days I would release the advisory.  
  
08-02-01: At the time of the release of this advisory, Linksys has not responded.  
  
  
  
6. Contact  
  
Written by hypoclear.  
email : [email protected]  
home page : http://hypoclear.cjb.net  
  
  
7. Disclaimer  
  
This advisory remains the property of hypoclear.  
This advisory can be freely distributed in any form.   
If this advisory is distributed it must remain in its entirety.  
  
This and all of hypoclear's releases fall under his disclaimer,   
which can be found at: http://hypoclear.cjb.net/hypodisclaim.txt  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Aug 2001 00:00Current
7.4High risk
Vulners AI Score7.4
linksys router securitydesign flawcleartext passwordssniffing attackhtml source code.
29