Bugtraq mailing list archives

Re: FlowPoint DSL router vulnerability

From: chris () INTRAACTIVE COM (Chris J Burris)
Date: Wed, 11 Aug 1999 01:23:38 -0400


Verified using tcpdump, the flowpoint configuration manager indeed does
use SNMP to communicate, hence the simple solution would be turn off
SNMP [And telnet] (you shouldn't be running this if you don't need to
anyway).

Although it does discourage me that even after I flashed my router to
v3.0.8, the login prompt [for Telnet]does not disconnect me after a
certain number of retries (3, like Cisco IOS, would be a decent number).

Regards,

Chris J Burris
IntraACTIVE, Inc.
http://www.intraactive.com/
+1 202 822 3999

On Tue, 10 Aug 1999, Scott Drassinower wrote:

Brute force, as it is not likely you will know what the number is without
physical access to the router.

If you were to block telnet and snmp access to the router, then you
probably would only have to worry about access via the console port.  I
think that FlowPoint's graphical admin tools use snmp, but if they don't,
you'll have to figure out how to block those as well.

--
 Scott M. Drassinower                                     scottd () cloud9 net
 Cloud 9 Consulting, Inc.                                  White Plains, NY
 +1 914 696-4000                                      http://www.cloud9.net

On Tue, 10 Aug 1999, Eric Budke wrote:

At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote:

It involves a bug that allows a password recovery feature to be utilized
from the LAN or WAN instead of just the serial console port.

Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will
allow you to get access to the box to do whatever you want.  It appears as
if the problem started in 3.0.4, but I am not totally certain about that.


So the vulnerability is essentially a brute force against telnet/snmp?
Assuming you filter those out, is there another way of accessing?

--
 Scott M. Drassinower                                       scottd () cloud9 net
 Cloud 9 Consulting, Inc.                                    White Plains, NY
 +1 914 696-4000                                        http://www.cloud9.net

On Thu, 5 Aug 1999, Matt wrote:

The following URL contains information about a firmware upgrade for
FlowPoint DSL routers that fixes a possible "security compromise".
FlowPoint has chosen not to release ANY information whatsoever about the
vulnerability. I was curious if anyone had any more information
about this vulnerability than what FlowPoint is divulging.

http://www.flowpoint.com/support/techbulletin/sec308.htm

thnx

--
I'm not nice, I'm vicious--it's the secret of my charm.


--
PGP Key can be found at http://www.panix.com/~budke/pgp/budke_budke_com.txt

Current thread:

FlowPoint DSL router vulnerability Matt (Aug 05)
- Re: FlowPoint DSL router vulnerability Scott Drassinower (Aug 07)
- <Possible follow-ups>
- Re: FlowPoint DSL router vulnerability Chris Shenton (Aug 06)
- Re: FlowPoint DSL router vulnerability Eric Budke (Aug 10)
  - Re: FlowPoint DSL router vulnerability Scott Drassinower (Aug 10)
    - Re: FlowPoint DSL router vulnerability Peter Radcliffe (Aug 10)
    - Re: FlowPoint DSL router vulnerability Chris J Burris (Aug 10)
  - Re: FlowPoint DSL router vulnerability shusaku (Aug 10)