Hi all, I have tested this on a SMC 2404WBR (firmware 1.0.10) with the firewall disabled and I get no response from port 1900. Regards, Michael Curtis ----- Original Message ----- From: "user86" <user86@earthlink.net> To: <bugtraq@securityfocus.com> Sent: Wednesday, April 28, 2004 12:55 PM Subject: SMC Routers have remote administration enabled by default > Tested Model: 7008ABR (part number 750.9814 with firmware 1.032 installed) > Confirmed by another person on: 7004VBR (version 1, firmware 1.231) > Others may be vulnerable. > > SMC broadband routers ship with remote administration enabled by default on > their port 1900 on the WAN side of the router. If you just pull one out of > the box, plug it into your internet connection and go through the "Setup > Wizard" then don't do anything beyond that point, port 1900 is open on the > router and completely passwordless, allowing ANY arbitrary person to just > visit http://1.2.3.4:1900/ where "1.2.3.4" is the router's external IP > address and hit "Login" and have full control of the router. This may allow > an arbitrary person to expose the very machines being protected by the > router. > > Steps to reproduce: > 1. Reset the router to factory defaults, either by logging onto its remote > administration page at http://192.168.2.1/ and clicking "Advanced Setup" then > "Tools" then "Configuration Tools" then choose "Restore barricade to factory > defaults" and click "Next." Or by holding down the router's reset button > with a paper clip for 30 seconds. > > 2. After the router has been reset to factory defaults, visit its > administration page at http://192.168.2.1/ > > 3. Click "login" > > 4. Click "Setup Wizard" then "Next" > > 5. Choose the appropriate connection type you have. > > 6. When it is "connected" and you can web browse on the internet just fine > behind it, go back to the router's administration page at http://192.168.2.1/ > > 7. Click "Advanced Setup" then "Status" and write down the router's WAN IP > address. (for example 1.2.3.4) > > 8. Now using a computer that has a different external IP address (another > machine on the internet), visit the router's port 1900 in your web browser > http://1.2.3.4:1900/ > > You are then greeted with a login prompt. Click "Login" and you have full > control of the router remotely. While you are there, click "Advanced Setup" > and then "System" then "Remote Management" and you can verify "Remote > Management" is supposedly disabled yet somehow you are *remotely* managing > the device. > > > There are two workarounds: > 1. Enable the router's firewall in its "Advanced Setup" > > 2. Forward port 1900 of the router to a non-existent internal IP address > (such as 192.168.2.248 if it isn't in use). > >
