Re: FlowPoint DSL router vulnerability

[pir-dev-null-too-many-bugtraq-bounces () PIR NET (Peter Radcliffe)]

Scott Drassinower <scottd () CLOUD9 NET> probably said:
> Brute force, as it is not likely you will know what the number is without
> physical access to the router.

You can find out the serial number from the firmware, so if you have
a legitimate connection to the router you could later (with the ability
to enable the password recovery feature) get access back.

> If you were to block telnet and snmp access to the router, then you
> probably would only have to worry about access via the console port.  I
> think that FlowPoint's graphical admin tools use snmp, but if they don't,
> you'll have to figure out how to block those as well.

You can turn off SNMP and/or telnet or only allow either from specific
hosts, which is explained in the CLI manual (I don't use the GUI but it
is presumably explained there too - the manuals seem quite good about
saying you need to set/change passwords and turn things off).

> > At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote:
> > > It involves a bug that allows a password recovery feature to be utilized
> > > from the LAN or WAN instead of just the serial console port.

At least on my (fairly recent) flowpoint the password recovery feature
is only usable after pressing a recessed button on the back of the unit
and then only for 10 minutes.  A reasonable compromise between requiring
physical access and not taking the router out of service, I thought.

> > > Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will
> > > allow you to get access to the box to do whatever you want.  It appears as
> > > if the problem started in 3.0.4, but I am not totally certain about that.

> > So the vulnerability is essentially a brute force against telnet/snmp?
> > Assuming you filter those out, is there another way of accessing?

The 6 digit serial number for a password is only in use if you enable
the password recovery feature (when I first found out about the
recovery feature I tested the serial number as a password normally and
it didn't allow access), so even if you have telnet access it isn't
usually enabled.  Even without the firewall feature set (which costs
more) you can decide which hosts can access telnet or SNMP.

Doesn't seem like much of a vunerability, so I'd guess theres more to it
than that or it was only a problem on the older hardware.

P.

--
pir               pir () pir net      pir () shore net      pir () net tufts edu