Arhont Information Security
01/04/03, 09:35
Arhont Ltd - Information Security Company
Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com)
Advisory: D-Link DSL Broadband Modem/Router
Router Model Name: D-Link DSL-300G/DSL-300G+
Model Specific: Other models might be vulnerable as well
Manufacturer site: http://www.dlink.com
Manufacturer contact (UK): Tel: 0800 9175063 / 0845
0800288
Contact Date: 06/03/2003
DETAILS:
While performing a general security testing of a
network, we have found several security vulnerability
issues with the D-Link DSL Broadband Modems models:
DSL-300G and DSL-300G+. This issue is similar to the
one found in D-link DSL-500 modem/router
(http://www.securityfocus.com/archive/1/316489/2003-03-27/2003-04-02/0).
Issue 1:
The default router installation enables SNMP (Simple
Network Management Protocol) server with default
community names for read and read/write access. The
models DSL-300G and DSL-300G+ only allow SNMP access
from the LAN (Local Area Network) side.
andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
ANNEXA (Oct 18 2002) R2.05.b4t9uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
sysUpTime.0 = Timeticks: (27941701) 3 days, 5:36:57.01
....
....
The community name: public
allows read access to the mentioned devices, allowing
enumeration and gathering of sensitive network
information.
The community name: private
allows read/write access to devices, thus allowing
change of the network settings of the broadband modem.
Impact: This vulnerability allows local malicious
attackers to retrieve and change network settings of
the modem.
Risk Factor: Medium/High
Possible Solutions:
1. Firewall UDP port 161 from LAN/WAN sides, as it is
not possible to disable SNMP service from the web
management interface.
2. You can change or disable snmp default settings by
connecting to the modem/router using telnet with
password string: "private". (This solution has been
pointed out by Snowy Maslov <Snowy.Maslov@fujitsu.com.au>)
Issue2:
Default remote administration access password via
telnet can not be changed during the setup via web
interface. Even after configuring the modem in web
interface and changing default password, malicious
attackers can access the unit with telnet and default
administrator password "private".
Fisk Factor: Medium/High
Possible Solutions: Manually change the default
password via telnet and reboot the modem.
Issue 3:
The ISP account information including login name and
password is stored on the modem without encryption, It
is therefore possible to retrieve this information with
simple SNMP gathering utility such as snmpwalk:
andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
ANNEXA (Oct 18 2002) R2.05.b4t9uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
....
....
....
transmission.23.2.3.1.5.2.1 = STRING:
"username@dsl-provider"
....
....
transmission.23.2.3.1.6.2.1 = STRING: "password-string"
....
....
....
Impact: This vulnerability allows LAN malicious
attackers to retrieve confidential information.
Risk Factor: Very High
Possible Solutions: As a temporary solution you should
firewall UDP port 161 from LAN sides, as it is not
possible to disable SNMP service from the web
management interface.
According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing them to the
public domains (such as CERT and BUGTRAQ), unless
specifically requested by the manufacturer.
If you would like to get more information about this
issue, please do not hesitate to contact Arhont team.
Kind Regards,
Andrei Mikhailovsky
Arhont Ltd
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key: 0xFF67A4F4
Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com)
Advisory: D-Link DSL Broadband Modem/Router
Router Model Name: D-Link DSL-300G/DSL-300G+
Model Specific: Other models might be vulnerable as well
Manufacturer site: http://www.dlink.com
Manufacturer contact (UK): Tel: 0800 9175063 / 0845
0800288
Contact Date: 06/03/2003
DETAILS:
While performing a general security testing of a
network, we have found several security vulnerability
issues with the D-Link DSL Broadband Modems models:
DSL-300G and DSL-300G+. This issue is similar to the
one found in D-link DSL-500 modem/router
(http://www.securityfocus.com/archive/1/316489/2003-03-27/2003-04-02/0).
Issue 1:
The default router installation enables SNMP (Simple
Network Management Protocol) server with default
community names for read and read/write access. The
models DSL-300G and DSL-300G+ only allow SNMP access
from the LAN (Local Area Network) side.
andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
ANNEXA (Oct 18 2002) R2.05.b4t9uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
sysUpTime.0 = Timeticks: (27941701) 3 days, 5:36:57.01
....
....
The community name: public
allows read access to the mentioned devices, allowing
enumeration and gathering of sensitive network
information.
The community name: private
allows read/write access to devices, thus allowing
change of the network settings of the broadband modem.
Impact: This vulnerability allows local malicious
attackers to retrieve and change network settings of
the modem.
Risk Factor: Medium/High
Possible Solutions:
1. Firewall UDP port 161 from LAN/WAN sides, as it is
not possible to disable SNMP service from the web
management interface.
2. You can change or disable snmp default settings by
connecting to the modem/router using telnet with
password string: "private". (This solution has been
pointed out by Snowy Maslov <Snowy.Maslov@fujitsu.com.au>)
Issue2:
Default remote administration access password via
telnet can not be changed during the setup via web
interface. Even after configuring the modem in web
interface and changing default password, malicious
attackers can access the unit with telnet and default
administrator password "private".
Fisk Factor: Medium/High
Possible Solutions: Manually change the default
password via telnet and reboot the modem.
Issue 3:
The ISP account information including login name and
password is stored on the modem without encryption, It
is therefore possible to retrieve this information with
simple SNMP gathering utility such as snmpwalk:
andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c
public 192.168.0.1 -v 1
sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30
ANNEXA (Oct 18 2002) R2.05.b4t9uk
Copyright (c) 2000 Dlink Corp.
sysObjectID.0 = OID: enterprises.171.10.30.1
....
....
....
transmission.23.2.3.1.5.2.1 = STRING:
"username@dsl-provider"
....
....
transmission.23.2.3.1.6.2.1 = STRING: "password-string"
....
....
....
Impact: This vulnerability allows LAN malicious
attackers to retrieve confidential information.
Risk Factor: Very High
Possible Solutions: As a temporary solution you should
firewall UDP port 161 from LAN sides, as it is not
possible to disable SNMP service from the web
management interface.
According to the Arhont Ltd. policy, all of the found
vulnerabilities and security issues will be reported to
the manufacturer 7 days before releasing them to the
public domains (such as CERT and BUGTRAQ), unless
specifically requested by the manufacturer.
If you would like to get more information about this
issue, please do not hesitate to contact Arhont team.
Kind Regards,
Andrei Mikhailovsky
Arhont Ltd
http://www.arhont.com
GnuPG Keyserver: blackhole.pca.dfn.de
GnuPG Key: 0xFF67A4F4