[11335] in bugtraq

home help back first fref pref prev next nref lref last post

Re: FlowPoint DSL router vulnerability

daemon@ATHENA.MIT.EDU (Scott Drassinower)
Tue Aug 10 18:26:47 1999

Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id:  <Pine.BSF.4.10.9908100926510.94768-100000@earl-grey.cloud9.net>
Date:         Tue, 10 Aug 1999 09:29:05 -0400
Reply-To: Scott Drassinower <scottd@CLOUD9.NET>
From: Scott Drassinower <scottd@CLOUD9.NET>
X-To:         Eric Budke <budke@budke.com>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <4.2.0.58.19990810071800.00ae1a00@popserver.panix.com>

Brute force, as it is not likely you will know what the number is without
physical access to the router.

If you were to block telnet and snmp access to the router, then you
probably would only have to worry about access via the console port.  I
think that FlowPoint's graphical admin tools use snmp, but if they don't,
you'll have to figure out how to block those as well.

--
 Scott M. Drassinower					    scottd@cloud9.net
 Cloud 9 Consulting, Inc.			       	     White Plains, NY
 +1 914 696-4000					http://www.cloud9.net

On Tue, 10 Aug 1999, Eric Budke wrote:

> At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote:
> >It involves a bug that allows a password recovery feature to be utilized
> >from the LAN or WAN instead of just the serial console port.
> >
> >Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will
> >allow you to get access to the box to do whatever you want.  It appears as
> >if the problem started in 3.0.4, but I am not totally certain about that.
>
> So the vulnerability is essentially a brute force against telnet/snmp?
> Assuming you filter those out, is there another way of accessing?
>
> >--
> >  Scott M. Drassinower                                       scottd@cloud9.net
> >  Cloud 9 Consulting, Inc.                                    White Plains, NY
> >  +1 914 696-4000                                        http://www.cloud9.net
> >
> >On Thu, 5 Aug 1999, Matt wrote:
> >
> > > The following URL contains information about a firmware upgrade for
> > > FlowPoint DSL routers that fixes a possible "security compromise".
> > > FlowPoint has chosen not to release ANY information whatsoever about the
> > > vulnerability. I was curious if anyone had any more information
> > > about this vulnerability than what FlowPoint is divulging.
> > >
> > > http://www.flowpoint.com/support/techbulletin/sec308.htm
> > >
> > > thnx
> > >
> > > --
> > > I'm not nice, I'm vicious--it's the secret of my charm.
> > >
>
> --
> PGP Key can be found at http://www.panix.com/~budke/pgp/budke_budke_com.txt
>
home help back first fref pref prev next nref lref last post