Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Phoenix Sistemi Security Advisory: ELSA Lancom 1100 Office Security Problems

From: Davide Del Vecchio <security () phx it>
Date: Wed, 26 Dec 2001 22:17:21 +0100
Phoenix Sistemi Security Advisory
December 26, 2001

ELSA Lancom 1100 Office Security Problems

Synopsis:
Phoenix Sistemi Security Responsable has to notice that ELSA Lancom 1100 Office suffers some leaks of security in its configuration. An attacker could steal RAS passoword, change routing tables and place a modified firmware to sniff data. 

Affected Versions:

ELSA Lancom 1100 Office (tested)
Probably all Lancom serie.

Description:
ELSA Lancom 1100 Office has to be configured by broswer on an http connection over the port 80 on the router IP. An intruder could connect with his default browser to the router ip (intranet or internet) and change the routing tables or worst steal the RAS password that is stored in a field covered with asteriscs. The passwords are in clear text and could be seen just editing the html source. It's not all, the upgrade of the firmware could be done remotely just going in its appropriate page placed in the configuration table, the intruder could upgrade a reversed firmware that will sniff data passing by the router. 

Solutions & Recommendations:
Surely changing the configuration port will be a good idea because problems of mass-scanning attacker will be solved, at least configuration page will not be so evident. An other good idea would be to give access privileges to first-time configuration just to internal ip adresses. RAS password could be stored in a file different from the html, or that part of configuration could be done with a Java Script. An easy user-side solution could be just to install a firewall with appropriate rules, so no-one out of the intranet could have access to it. 

Credits:
Davide Del Vecchio would like to thank his company Phoenix Sistemi and the CED group especially 
Bartolomeo Bufi, Gianluca Nanoia, Antonio Lapadula and Michele Tumolo.

Disclaimer:
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 

^^^^^^^^

Please send suggestions, updates, and comments to:

Davide Del Vecchio security () phoenixsistemi com of PhoeniX Sistemi.

http://www.phoenixsistemi.com
Previous By Date Next
Previous By Thread Next

Current thread: