Linksys Router Information (A collection)

Exploits:

Articles

Legacy Articles

font size: decrease font size increase font size
Rate this article
View Comments
Related content

click to see full-size image

Details
Vulnerable systems:
Linksys Cable/DSL version 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)

Immune systems:
Linksys Cable/DSL versions prior to 1.42.7 (BEFSR11 / BEFSR41 / BEFSRU31)

After flashing the Linksys Cable/DSL with the new firmware (Version 1.42.7 that was released on May 1 2002), a new port
will open for remote administration, TCP port 5678. This port will open even if the "Block WAN" and
"Remote Admin" are set to disabled.

Additional information
The information has been provided by Tim Mayville

_________________________________________________________

Linksys Routers Found to be Vulnerable to SNMP Issues ========================================================================== Jan, 14 2002 Summary Linksys DSL routers suffer from serious information leakage problems, as well as a potential opening to be used as a DDoS initiator. Details Vulnerable systems: BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch) BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch) (confirmed version 2.37) Immune systems: BEFSR81 version v2.38.1 Querying the mentioned devices with the default community of 'public' causes them to set the address that queried as their snmptrap host, dumping traffic such as the following to that address: Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 24.254.60.13[110]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.23[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.3[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.4[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.5[5632]." Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "-->[U]Send OP: ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9218583272 a .." Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "<--[U]Recv __: ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB."".0.." It looks like a combination of debugging information as well as traffic logging; many customers never use the configuration page, let alone change the SNMP communities. To make matters worse, Linksys refuses to distribute an MIB for the device, which is not surprising considering the SNMP implementation on the device is rather broken (it goes into a continuous loop). Further, with the correct community string you could enumerate values, determine the internal network addressing, etc, and even add forwarding rules to access services on internal hosts. When a change is made, the trick is to find the SNMP var that acts as the switch to save the new config values and recycle with the new values. Some poking and some Linksys MIBS found on the Internet id'd/confirmed the software switch as: .1.3.6.1.4.1.3955.3.1.6.0 Integer valued ... set to '1' to save new values/recycle. Additional information The information has been provided by Matthew S. Hallacy and The Cyberiad.

Written on Saturday, 03 October 2009 20:58 by GSO

Viewed 258 times so far.
Like this? Tweet it to your followers!

Published in Subscribe to the RSS feed of Network Security & Hacking Articles Network Security & Hacking Articles / Subscribe to the RSS feed of Legacy Security Articles Legacy Security Articles

Like this? Let your friends know now!

Rate this article

Latest articles from GSO

Bugtraq: Re: /proc filesystem allows bypassing directory permissions on Linux posted on Monday, 29 November 1999 16:00
Re: /proc filesystem allows bypassing directory permissions on Linux
Vuln: IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability posted on Monday, 26 October 2009 12:00
IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability
Bugtraq: Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow. posted on Monday, 29 November 1999 16:00
Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow.
Bugtraq: Rising Multiple Products Local Privilege Escalation Vulnerability posted on Monday, 29 November 1999 16:00
Rising Multiple Products Local Privilege Escalation Vulnerability
Bugtraq: {PRL} Rising Firewall 2009 Privilege Escalation posted on Monday, 29 November 1999 16:00
{PRL} Rising Firewall 2009 Privilege Escalation

Latest 'tweets' from GovernmentSecurity

News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38

blog comments powered by Disqus

back to top

Rate this article

Latest articles from GSO

Latest 'tweets' from GovernmentSecurity

Site Search

Login Form

Disqus Tools