[Hudlug] [Fwd: Security issues in D-Link DSL-300/DSL-300G+ Broadband Modem/Router]

Charles Blackburn hudlug at mailman.lug.org.uk
Tue Apr 1 01:18:01 2003 

-----Forwarded Message-----

> From: Arhont Information Security <infosec@arhont.com>
> To: bugtraq@securityfocus.com
> Subject: Security issues in D-Link DSL-300/DSL-300G+ Broadband Modem/Router
> Date: 31 Mar 2003 15:42:07 +0000
> 
> 
> 
> Arhont Ltd	- 	Information Security Company
> 
> Arhont Advisory by:		Andrei Mikhailovsky (www.arhont.com)
> Advisory:			D-Link DSL Broadband Modem/Router 
> Router Model Name:		D-Link DSL-300G/DSL-300G+
> Model Specific:			Other models might be vulnerable as well
> Manufacturer site:		http://www.dlink.com
> Manufacturer contact (UK):	Tel: 0800 9175063 / 0845
> 0800288		
> Contact Date:			06/03/2003
> 
> DETAILS:
> 
> While performing a general security testing of a
> network, we have found several security vulnerability
> issues with the D-Link DSL Broadband Modems models:
> DSL-300G and DSL-300G+. This issue is similar to the
> one found in D-link DSL-500 modem/router
> (http://www.securityfocus.com/archive/1/316489/2003-03-27/2003-04-02/0).
> 
> Issue 1:
> The default router installation enables SNMP (Simple
> Network Management Protocol) server with default
> community names for read and read/write access. The
> models DSL-300G and DSL-300G+ only allow SNMP access
> from the LAN (Local Area Network) side.
> 
> andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
> public 192.168.0.1 -v 1
> sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
> ANNEXA  (Oct 18 2002) R2.05.b4t9uk
> Copyright (c) 2000 Dlink Corp.
> sysObjectID.0 = OID: enterprises.171.10.30.1
> sysUpTime.0 = Timeticks: (27941701) 3 days, 5:36:57.01
> ...
> ...
> 
> The community name: public 
> 
> allows read access to the mentioned devices, allowing
> enumeration and gathering of sensitive network
> information.  
> 
> The community name: private 
> 
> allows read/write access to devices, thus allowing
> change of the network settings of the broadband modem.
> 
> Impact: This vulnerability allows local malicious
> attackers to retrieve and change network settings of
> the modem.
> 
> Risk Factor: Medium/High
> 
> Possible Solutions:  
> 1. Firewall UDP port 161 from LAN/WAN sides, as it is
> not possible to disable SNMP service from the web
> management interface.
> 2. You can change or disable snmp default settings by
> connecting to the modem/router using telnet with
> password string: "private". (This solution has been
> pointed out by Snowy Maslov <Snowy.Maslov@fujitsu.com.au>)
> 
> Issue2:
> Default remote administration access password via
> telnet can not be changed during the setup via web
> interface.  Even after configuring the modem in web
> interface and changing default password, malicious
> attackers can access the unit with telnet and default
> administrator password "private".
> 
> Fisk Factor: Medium/High
> 
> Possible Solutions: Manually change the default
> password via telnet and reboot the modem.
> 
> Issue 3:
> The ISP account information including login name and
> password is stored on the modem without encryption,  It
> is therefore possible to retrieve this information with
> simple SNMP gathering utility such as snmpwalk:
> 
> andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
> public 192.168.0.1 -v 1
> sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
> ANNEXA  (Oct 18 2002) R2.05.b4t9uk
> Copyright (c) 2000 Dlink Corp.
> sysObjectID.0 = OID: enterprises.171.10.30.1
> ...
> ...
> ...
> transmission.23.2.3.1.5.2.1 = STRING:
> "username@dsl-provider"
> ...
> ...
> transmission.23.2.3.1.6.2.1 = STRING: "password-string"
> ...
> ...
> ... 
> 
> Impact: This vulnerability allows LAN malicious
> attackers to retrieve confidential information.
> 
> Risk Factor: Very High
> 
> Possible Solutions:  As a temporary solution you should
> firewall UDP port 161 from LAN sides, as it is not
> possible to disable SNMP service from the web
> management interface.
> 
> According to the Arhont Ltd. policy, all of the found
> vulnerabilities and security issues will be reported to
> the manufacturer 7 days before releasing them to the
> public domains (such as CERT and BUGTRAQ), unless
> specifically requested by the manufacturer.
> 
> If you would like to get more information about this
> issue, please do not hesitate to contact Arhont team.
> 
> 
> Kind Regards,
> 
> Andrei Mikhailovsky
> Arhont Ltd
> http://www.arhont.com
> GnuPG Keyserver: blackhole.pca.dfn.de
> GnuPG Key:	 0xFF67A4F4
>