|
If this not work you
can test the connection with tftp or maybe you must have an
administrator tool for this cablemodem. I really don't know
this software.
___________________________________________________________________________
Jun, 11 2002
Summary
Linksys Cable/DSL has been found to contain a security vulnerability
that occurs when an administrator flashes (updates
the firmware) the product to the latest version. The vulnerability
would allow remote administration even if it has been
specifically disabled in the product (The administration will
be available via a different port than the normal
administration port).
Details
Vulnerable systems:
Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)
Immune systems:
Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41
/ BEFSRU31)
After flashing the Linksys Cable/DSL with the new firmware
(Version 1.42.7 that was released on May 1 2002), a new port
will open for remote administration, TCP port 5678. This port
will open even if the "Block WAN" and
"Remote Admin" are set to disabled.
Additional information
The information has been provided by Tim Mayville
_________________________________________________________
Linksys Routers Found to be Vulnerable to SNMP Issues ==========================================================================
Jan, 14 2002 Summary Linksys DSL routers suffer from serious
information leakage problems, as well as a potential opening
to be used as a DDoS initiator. Details Vulnerable systems:
BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port
Switch) BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch)
(confirmed version 2.37) Immune systems: BEFSR81 version v2.38.1
Querying the mentioned devices with the default community of
'public' causes them to set the address that queried as their
snmptrap host, dumping traffic such as the following to that
address: Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36,
enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 24.254.60.13[110]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0
= "@out 192.168.1.200 ==> 216.120.8.23[5632]." Enterprise
Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0
= "@out 192.168.1.200 ==> 216.120.8.3[5632]." Enterprise
Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0
= "@out 192.168.1.200 ==> 216.120.8.4[5632]." Enterprise
Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0
= "@out 192.168.1.200 ==> 216.120.8.5[5632]." Enterprise
Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0
= "-->[U]Send OP: ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB
9218583272 a .." Enterprise Specific Trap (1) Uptime: 2 days,
6:04:38.11, enterprises.3955.1.1.0 = "<--[U]Recv __: ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB."".0.."
It looks like a combination of debugging information as well
as traffic logging; many customers never use the configuration
page, let alone change the SNMP communities. To make matters
worse, Linksys refuses to distribute an MIB for the device,
which is not surprising considering the SNMP implementation
on the device is rather broken (it goes into a continuous loop).
Further, with the correct community string you could enumerate
values, determine the internal network addressing, etc, and
even add forwarding rules to access services on internal hosts.
When a change is made, the trick is to find the SNMP var that
acts as the switch to save the new config values and recycle
with the new values. Some poking and some Linksys MIBS found
on the Internet id'd/confirmed the software switch as: .1.3.6.1.4.1.3955.3.1.6.0
Integer valued ... set to '1' to save new values/recycle. Additional
information The information has been provided by Matthew S.
Hallacy and The Cyberiad. |
