[23732] in bugtraq
Linksys 'routers', SNMP issues
daemon@ATHENA.MIT.EDU (Matthew S. Hallacy)
Mon Jan 7 04:44:06 2002
Date: Sun, 6 Jan 2002 06:55:17 -0600
From: "Matthew S. Hallacy" <poptix@techmonkeys.org>
To: bugtraq@securityfocus.com
Message-ID: <20020106065517.E25681@techmonkeys.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="R3G7APHDIzY6R/pk"
Content-Disposition: inline
--R3G7APHDIzY6R/pk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Howdy.
LinkSys DSL 'routers' have some serious information leakage, and potention =
DDoS
usage. The following models have been confirmed as having this problem:
BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch)
BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch)
Querying these devices with the default community of 'public' causes them t=
o set
the address that queried as their snmptrap host, dumping traffic such as the
following to that address:
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.=
1.1.0 =3D "@out 192.168.1.200 =3D=3D> 24.254.60.13[110]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.=
1.1.0 =3D "@out 192.168.1.200 =3D=3D> 216.120.8.23[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.=
1.1.0 =3D "@out 192.168.1.200 =3D=3D> 216.120.8.3[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.=
1.1.0 =3D "@out 192.168.1.200 =3D=3D> 216.120.8.4[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.=
1.1.0 =3D "@out 192.168.1.200 =3D=3D> 216.120.8.5[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1=
.1.0 =3D "-->[U]Send OP: ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9=
218583272 a .."
Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1=
.1.0 =3D "<--[U]Recv __: ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\=
"\".0.."
It looks like a combination of debugging information as well as traffic log=
ging,=20
many customers never use the configuration page, let alone change the SNMP=
=20
communities. To make the matter worse, LinkSys refuses to distribute an MIB
for the device, which is not suprising considering the SNMP implementation
on the device is rather broken (it goes into a continious loop).
LinkSys is routing all messages regarding SNMP to /dev/null
Have a nice day.
Matthew S. Hallacy
--=20
--R3G7APHDIzY6R/pk
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8OEk0XbLQQwGTggMRArzQAJwM0m2nqAksdB79845QtXW4/uTfNwCgxp68
25wsxUpm0IQnOM/pqIxR4Ww=
=tmmB
-----END PGP SIGNATURE-----
--R3G7APHDIzY6R/pk--
