Arhont Ltd - Information Security Company Arhont Advisory by: Andrei Mikhailovsky (www.arhont.com) Advisory: D-Link DSL Broadband Modem/Router Router Model Name: D-Link DSL-300G/DSL-300G+ Model Specific: Other models might be vulnerable as well Manufacturer site: http://www.dlink.com Manufacturer contact (UK): Tel: 0800 9175063 / 0845 0800288 Contact Date: 06/03/2003 DETAILS: While performing a general security testing of a network, we have found several security vulnerability issues with the D-Link DSL Broadband Modems models: DSL-300G and DSL-300G+. This issue is similar to the one found in D-link DSL-500 modem/router (http://www.securityfocus.com/archive/1/316489/2003-03-27/2003-04-02/0). Issue 1: The default router installation enables SNMP (Simple Network Management Protocol) server with default community names for read and read/write access. The models DSL-300G and DSL-300G+ only allow SNMP access from the LAN (Local Area Network) side. andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c public 192.168.0.1 -v 1 sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30 ANNEXA (Oct 18 2002) R2.05.b4t9uk Copyright (c) 2000 Dlink Corp. sysObjectID.0 = OID: enterprises.171.10.30.1 sysUpTime.0 = Timeticks: (27941701) 3 days, 5:36:57.01 ... ... The community name: public allows read access to the mentioned devices, allowing enumeration and gathering of sensitive network information. The community name: private allows read/write access to devices, thus allowing change of the network settings of the broadband modem. Impact: This vulnerability allows local malicious attackers to retrieve and change network settings of the modem. Risk Factor: Medium/High Possible Solutions: 1. Firewall UDP port 161 from LAN/WAN sides, as it is not possible to disable SNMP service from the web management interface. 2. You can change or disable snmp default settings by connecting to the modem/router using telnet with password string: "private". (This solution has been pointed out by Snowy Maslov <Snowy.Maslov@fujitsu.com.au>) Issue2: Default remote administration access password via telnet can not be changed during the setup via web interface. Even after configuring the modem in web interface and changing default password, malicious attackers can access the unit with telnet and default administrator password "private". Fisk Factor: Medium/High Possible Solutions: Manually change the default password via telnet and reboot the modem. Issue 3: The ISP account information including login name and password is stored on the modem without encryption, It is therefore possible to retrieve this information with simple SNMP gathering utility such as snmpwalk: andrei@whale:~/bugtraq/DSL-modems$ snmpwalk -Os -c public 192.168.0.1 -v 1 sysDescr.0 = STRING: D-Link DSL-300G+ version 7.1.0.30 ANNEXA (Oct 18 2002) R2.05.b4t9uk Copyright (c) 2000 Dlink Corp. sysObjectID.0 = OID: enterprises.171.10.30.1 ... ... ... transmission.23.2.3.1.5.2.1 = STRING: "username@dsl-provider" ... ... transmission.23.2.3.1.6.2.1 = STRING: "password-string" ... ... ... Impact: This vulnerability allows LAN malicious attackers to retrieve confidential information. Risk Factor: Very High Possible Solutions: As a temporary solution you should firewall UDP port 161 from LAN sides, as it is not possible to disable SNMP service from the web management interface. According to the Arhont Ltd. policy, all of the found vulnerabilities and security issues will be reported to the manufacturer 7 days before releasing them to the public domains (such as CERT and BUGTRAQ), unless specifically requested by the manufacturer. If you would like to get more information about this issue, please do not hesitate to contact Arhont team. Kind Regards, Andrei Mikhailovsky Arhont Ltd http://www.arhont.com GnuPG Keyserver: blackhole.pca.dfn.de GnuPG Key: 0xFF67A4F4
