what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

netopia.advisory.r9100

netopia.advisory.r9100
Posted May 17, 2000
Authored by Steve Friedl

The Netopia R9100 permits a user not authorized with a special security password to neverthless modify the SNMP community strings, including enabling SNMP access that should be disabled.

tags | exploit
SHA-256 | 3168f68634d059aaa9ea3f13c15e52e139e10b5ab83eef2a37fba5ca881c8d62

netopia.advisory.r9100

Change Mirror Download
Security Advisory: Netopia R9100 DSL router

By: Stephen Friedl (steve@unixwiz.net)
Date: 8 May 2000

Short summary:

The Netopia R9100 permits a user not authorized with a
special security password to neverthless modify the SNMP
community strings, including enabling SNMP access that should
be disabled.

Device Summary:

The Netopia R9100 is an Ethernet-to-Ethernet router intended
mainly for the DSL and cable modem markets, and it supports
NAT and various kinds of tunneling. It is managed with telnet,
HTTP, and with SNMP from either the inside or the outside
Ethernet interfaces.

Product information on this device can be found at:

http://www.netopia.com/equipment/routers/r9100/

One of the many setup screens permits the setting of SNMP
community names, both RO and RW, and setting the entries
to blanks effectively disables SNMP access. The security
setup screen (which requires a separate password from that
used during login) can be configured to restrict access to
any of the SNMP screens.

Vulnerability:

The R9100 has a command-line mode that is reached by typing
control-N after the user has passed the initial login test.
At the "#" prompt one can then do most management of the device.
This includes the setting of SNMP community strings in spite
of the limitation imposed by the administrator:

# set snmp community RO wookie
or
# set snmp community RW wookie

Impact:
Relatively low. The exploit can only be attempted by those
with existing access login to the device, and it doesn't seem
terribly common to have users allowed to manage nearly everything
except the SNMP strings.

Workaround:
Deny access to users who can't be trusted.

Versions Tested:
v4.6.2 (the latest) is the only version tested. Older
versions probably vulnerable also.
Other similar Netopia products possibly vulnerable also

Response from Netopia:

The new behavior will be when SNMP access is disabled in the
Security screen, and an attempt is made to configure the SNMP
read-write string via the Command Line and Telnet, the user
will get an error: -400 Access Denied.

This fix will be in the next release of firmware, version 4.7
(approx. end of May)

Steve

---
Stephen J Friedl|Software Consultant|Tustin, CA| +1 714 544-6561
3B2-kind-of-guy |I speak for me only| KA8CMY |steve@unixwiz.net
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close