-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've found a number of low risk issues with Mentor's ADSLFR4II router. I initially spoke to them on the 20th July, passing them full details of my findings on the 21st of July. I then emailed them again on the 4th of August asking for an update and notifying them of my intent to publish after close of business on the 11th of August unless I recieved adequate assurance that they are working on these issues. As it stands, I've had no contact since the 21st July and therefore have decided to publish this warning: - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nth Dimension Security Advisory (NDSA20050719) Date: 19th July 2005 Author: Tim Brown URL: / Product: ADSL-FR4II router (firmware v.2.00.0111 2004.04.09) Vendor: Mentor Risk: Low Summary This product has 4 vulnerabilities. 1) An undocumented port 5678/tcp is open on the internal interface, which allows access to the web application used to administer the router. 2) There is no default password configured for the web application user to administer the router. 3) The routers state table for active TCP connections to the device is such that a simple scan of all ports will prevent the router responding to valid connections to open TCP ports. 4) Backup configuration files downloaded from the router contain the administrative password for the web application used to configure the router in plain text. Technical Details 1) Connecting to port 5678/tcp on the routers internal IP with a web browser presents the same web application as can be found on port 80/tcp. It may therefore be possible to access the application even where internal firewalls are blocking access to port 80/tcp. This would be of particular concern if there is another password that will allow access to the application in a similar manner to that described in http://www.securityfocus.com/bid/12507. 2) By default, the web appplication used to administer the router does not have a password configured. If a password is not configured then in combination with vulnerability 1 it may be possible to compromise the router. 3) Running scanrand :all will prevent the router responding to valid connections to open TCP ports on either the external or internal interface, most likely due to the state table becoming full. 4) Running strings over backup configuration files downloaded from the router reveals the administrative password for the web application used to configure the router in plain text. If a system holding one of these backup configuration files is compromised then it may be possible to compromise the router. Solutions Unfortunately, Nth Dimension are unware of any fixes for these issues at the current time. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (SunOS) iD8DBQFC3hHaVAlO5exu9x8RAsVHAKCzO9cRj7jUhD2m7FPmQZMK3SQkUgCeOmsV yJKqMejxWUt+ePJMDKannIk= =QM8X - -----END PGP SIGNATURE----- Cheers, Tim - -- Tim Brown -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (SunOS) iD8DBQFC/cYSVAlO5exu9x8RArifAKCy5fVgX5ZtR6ZG+U7gRO6Mr5d/sQCgntRS wxrjcpmjXiW8mxy6BNVrb2E= =icxb -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/