[30751] in bugtraq
Re: Asus AAM6000EV ADSL Router Wide Open
daemon@ATHENA.MIT.EDU (Ben Wheeler)
Tue Jul 15 17:08:23 2003
Date: Tue, 15 Jul 2003 14:01:34 +0100
From: Ben Wheeler <jammin@life.eu.org>
To: bugtraq@securityfocus.com
Message-ID: <20030715130134.GC9083@brucia.ulcc.ac.uk>
Mail-Followup-To: bugtraq@securityfocus.com,
cw <security@fidei.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2003714194538.677980@beddo>
On Mon, Jul 14, 2003 at 07:45:38PM +0100, cw wrote:
> Asus have been notified but haven't even acknowledged yet alone mentioned a fix.
>
> If the inbuilt webserver is activated, anyone on the local network
> can get the full user/pass list from the router without any identification
It's far worse than that, if the state in which my router was supplied is
typical. As I received it, the webserver was enabled by default, *and*
was accessible from the internet as well as the local network. I had to
explicitly set up ip_filter rules to restrict access (the same goes for
telnet access by the way). Worse, there was a bug which caused ip_filter
rules not to be saved properly, so they were not restored after a reset.
Fortunately this has been fixed in the last flash update (71205a32) but
this same update also removes the requirement to specify a username.
You now only need any one of the valid passwords to login. Asus really
don't seem to have a clue. Finding out what has changed between the flash
versions, either from them or from Solwise the UK distributors, is impossible.
It takes a particularly special kind of incompetence to keep the passwords
unencrypted and accessible via the webserver. I certainly won't be buying
another of their products.
The only workaround I know of is to set up ip_filter rules, which is way
beyond the capabilities of most home users (truthfully, quite a number
may not even have changed the default login password). I'm not aware of
any way to disable the httpd completely. Anyone?
Ben Wheeler
