[23733] in bugtraq
Re: Linksys 'routers', SNMP issues
daemon@ATHENA.MIT.EDU (John Duksta)
Mon Jan 7 09:49:59 2002
Date: Mon, 7 Jan 2002 09:07:31 -0500 (EST)
From: John Duksta <jduksta@genuity.com>
To: "Matthew S. Hallacy" <poptix@techmonkeys.org>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20020106065517.E25681@techmonkeys.org>
Message-ID: <Pine.GSO.4.05.10201070858230.24044-100000@ix.genuity.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Matthew:
Are the Linksys devices accepting the SNMP packets on the
external interface? Granted, this is a pretty bad problem
in and of itself, but I would think not so bad if the Linksys
device is only accepting SNMP on the internal interface.
-john
--
John Duksta <jduksta@genuity.com>
Security Engineer - Genuity
---------------------------------------------------------------------------
"Everything should be made as simple as possible but not simpler."
- A. Einstein
On Sun, 6 Jan 2002, Matthew S. Hallacy wrote:
> Howdy.
>
> LinkSys DSL 'routers' have some serious information leakage, and potention DDoS
> usage. The following models have been confirmed as having this problem:
> BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch)
> BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch)
>
> Querying these devices with the default community of 'public' causes them to set
> the address that queried as their snmptrap host, dumping traffic such as the
> following to that address:
>
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 24.254.60.13[110]."
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.23[5632]."
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.3[5632]."
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.4[5632]."
> Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.5[5632]."
> Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "-->[U]Send OP: ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9218583272 a .."
> Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "<--[U]Recv __: ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\"\".0.."
>
> It looks like a combination of debugging information as well as traffic logging,
> many customers never use the configuration page, let alone change the SNMP
> communities. To make the matter worse, LinkSys refuses to distribute an MIB
> for the device, which is not suprising considering the SNMP implementation
> on the device is rather broken (it goes into a continious loop).
>
>
> LinkSys is routing all messages regarding SNMP to /dev/null
>
> Have a nice day.
> Matthew S. Hallacy
>
