I can confirm this behaviour for the following product: Asus AAM 6330BI, firmware version 71238a11
This device is for example delivered by the german DSL-provider NetCologne.
cw wrote:
If the inbuilt webserver is activated, anyone on the local network can get the full user/pass list from the router without any identification whatsoever by going to the ip address of the router and appending /userdata Example, say the ip address is 192.168.0.1, go to:
http://192.168.0.1/userdata
The format of the data that gets displayed there is: <username>.<password>.<service class>.<status>.
The same data can be accessed by telnetting to the device and choosing the menu-path "System Maintenance / User Maintenance / List User" (6/5/4).
> Type ls to see all configuration files accessible through this flaw.Telnet to the router, enter the user mode console and then type "flashfs"
In order to reach the command prompt where you can enter this command (amongst other) you have to choose option "9. Exit User Mode Console" from the main menu. "help" lists all available commands.
As mentioned by the original poster, use: 192.168.1.1> flashfs 192.168.1.1 flashfs> ls
Another password disclosure: in the above mentioned device there is a file "snmpinit". If it is accessed by the browser (for example with http://192.168.1.1/snmpinit ) the read and write community strings of the device's snmp interface will be shown. The content of every file also can be accessed with "cat", for example:
192.168.1.1 flashfs> cat snmpinit
With my own device, the data disclosed is of the following format:
access read <read community string> access write <write community string>
It would be interesting to learn if it is possible for someone to use the HTTP-method "PUT" in order to change the content of the file "userdata" without having to know its content. I'm not brave enough to test it since I'm in need of a working DSL modem :)
Bye, Mike
