[ale] Linksys 'routers', SNMP issues (fwd)
Chris Ricker
kaboom at gatech.edu
Mon Jan 7 09:53:44 EST 2002
Since a lot of people on this list seem to think these sorts of toys are a
good idea....
later,
chris
---------- Forwarded message ----------
Date: Sun, 6 Jan 2002 06:55:17 -0600
From: Matthew S. Hallacy <poptix at techmonkeys.org>
To: ale at ale.org
To: bugtraq at securityfocus.com
Subject: Linksys 'routers', SNMP issues
Howdy.
LinkSys DSL 'routers' have some serious information leakage, and potention DDoS
usage. The following models have been confirmed as having this problem:
BEFN2PS4 (EtherFast Cable/DSL Router & Voice with 4-Port Switch)
BEFSR81 (EtherFast Cable/DSL Router with 8-Port Switch)
Querying these devices with the default community of 'public' causes them to set
the address that queried as their snmptrap host, dumping traffic such as the
following to that address:
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 24.254.60.13[110]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.23[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.3[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.4[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 19:00:23.36, enterprises.3955.1.1.0 = "@out 192.168.1.200 ==> 216.120.8.5[5632]."
Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "-->[U]Send OP: ^ps_status_q 15049C0DFC9B03166D55EA30474D04FB 9218583272 a .."
Enterprise Specific Trap (1) Uptime: 2 days, 6:04:38.11, enterprises.3955.1.1.0 = "<--[U]Recv __: ^ps_status_r.15049C0DFC9B03166D55EA30474D04FB.\"\".0.."
It looks like a combination of debugging information as well as traffic logging,
many customers never use the configuration page, let alone change the SNMP
communities. To make the matter worse, LinkSys refuses to distribute an MIB
for the device, which is not suprising considering the SNMP implementation
on the device is rather broken (it goes into a continious loop).
LinkSys is routing all messages regarding SNMP to /dev/null
Have a nice day.
Matthew S. Hallacy
--
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list