ADSLFR4II.txt

2005-08-17T00:00:00
ID PACKETSTORM:39404
Type packetstorm
Reporter Tim Brown
Modified 2005-08-17T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
I've found a number of low risk issues with Mentor's ADSLFR4II router. I  
initially spoke to them on the 20th July, passing them full details of my  
findings on the 21st of July. I then emailed them again on the 4th of  
August asking for an update and notifying them of my intent to publish  
after close of business on the 11th of August unless I recieved adequate  
assurance that they are working on these issues. As it stands, I've had  
no contact since the 21st July and therefore have decided to publish this  
warning:  
  
- -----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Nth Dimension Security Advisory (NDSA20050719)  
Date: 19th July 2005  
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>  
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>  
Product: ADSL-FR4II router (firmware v.2.00.0111 2004.04.09)  
<http://www.bona.com.tw:8080/product/ADSL-FR4II.htm>  
Vendor: Mentor <http://www.bona.com.tw/>  
Risk: Low  
  
Summary  
  
This product has 4 vulnerabilities.  
  
1) An undocumented port 5678/tcp is open on the internal interface,  
which allows access to the web application used to administer the  
router.  
  
2) There is no default password configured for the web application  
user to administer the router.  
  
3) The routers state table for active TCP connections to the device  
is such that a simple scan of all ports will prevent the router  
responding to valid connections to open TCP ports.  
  
4) Backup configuration files downloaded from the router contain  
the administrative password for the web application used to configure  
the router in plain text.  
  
Technical Details  
  
1) Connecting to port 5678/tcp on the routers internal IP with a web  
browser presents the same web application as can be found on port  
80/tcp. It may therefore be possible to access the application even  
where internal firewalls are blocking access to port 80/tcp. This  
would be of particular concern if there is another password that  
will allow access to the application in a similar manner to that  
described in http://www.securityfocus.com/bid/12507.  
  
2) By default, the web appplication used to administer the router  
does not have a password configured. If a password is not configured  
then in combination with vulnerability 1 it may be possible to  
compromise the router.  
  
3) Running scanrand <ip>:all will prevent the router responding to  
valid connections to open TCP ports on either the external or internal  
interface, most likely due to the state table becoming full.  
  
4) Running strings over backup configuration files downloaded from  
the router reveals the administrative password for the web application  
used to configure the router in plain text. If a system holding  
one of these backup configuration files is compromised then it may be  
possible to compromise the router.  
  
Solutions  
  
Unfortunately, Nth Dimension are unware of any fixes for these issues  
at the current time.  
- -----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.6 (SunOS)  
  
iD8DBQFC3hHaVAlO5exu9x8RAsVHAKCzO9cRj7jUhD2m7FPmQZMK3SQkUgCeOmsV  
yJKqMejxWUt+ePJMDKannIk=  
=QM8X  
- -----END PGP SIGNATURE-----  
  
Cheers,  
Tim  
- --  
Tim Brown  
<mailto:netsys@machine.org.uk>  
<http://www.machine.org.uk/>  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.6 (SunOS)  
  
iD8DBQFC/cYSVAlO5exu9x8RArifAKCy5fVgX5ZtR6ZG+U7gRO6Mr5d/sQCgntRS  
wxrjcpmjXiW8mxy6BNVrb2E=  
=icxb  
-----END PGP SIGNATURE-----  
`