[10216] in bugtraq
Re: aDSL routers
daemon@ATHENA.MIT.EDU (Joe Shaw)
Thu Apr 15 13:24:05 1999
Date: Wed, 14 Apr 1999 15:14:21 -0500
Reply-To: Joe Shaw <jshaw@INSYNC.NET>
From: Joe Shaw <jshaw@INSYNC.NET>
X-To: David Brumley <dbrumley@GOJU.STANFORD.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.3.96.990413225150.1104A-100000@goju.Stanford.EDU>
One could assume that since they set no admin password, yet discuss it in
the documentation that it's not really a security flaw, but stupidity on
the part of lazy system managers. If Flowpoint set the admin password
to their equipment to the same string on all shipped routers, this
would be no different than not resetting the default password to
something else.
You should always read the manuals for your equipment, and always pay
attention to the details like them suggesting you set or change a
password.
--
Joseph W. Shaw - jshaw@insync.net
Freelance Computer Security Consultant and Perl Programmer
Free UNIX advocate - "I hack, therefore I am."
On Tue, 13 Apr 1999, David Brumley wrote:
> Welp, aDSL is here. And at least one manufacturer, flowpoint, sets no
> admin password. It's in the documentation, so I assume the
> company already knows about this vulnerability:) System managers
> who have aDSL access often overlook this, so I thought I'd point it out.
> A quick fix: disable telnet access to all of your aDSL router IP's.
> Better fix: set an admin password.
>
> Version tested:
> FlowPoint/2000 ADSL Router
> FlowPoint-2000 BOOT/POST V4.0.2 (18-Mar-98 12:00)
> Software version v1.4.5 built Tue Aug 11 23:20:20 PDT 1998
>
> Cheers,
> -db
>
