[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Phoenix Sistemi Security Advisory: ELSA Lancom 1100 Office
From: Davide Del Vecchio <security () phx ! it>
Date: 2001-12-26 21:17:21
[Download RAW message or body]
Phoenix Sistemi Security Advisory
December 26, 2001
ELSA Lancom 1100 Office Security Problems
Synopsis:
Phoenix Sistemi Security Responsable has to notice that ELSA Lancom 1100
Office suffers some leaks of security in its configuration. An attacker
could steal RAS passoword, change routing tables and place a modified
firmware to sniff data.
Affected Versions:
ELSA Lancom 1100 Office (tested)
Probably all Lancom serie.
Description:
ELSA Lancom 1100 Office has to be configured by broswer on an http
connection over the port 80 on the router IP. An intruder could connect
with his default browser to the router ip (intranet or internet) and change
the routing tables or worst steal the RAS password that is stored in a
field covered with asteriscs. The passwords are in clear text and could be
seen just editing the html source.
It's not all, the upgrade of the firmware could be done remotely just going
in its appropriate page placed in the configuration table, the intruder
could upgrade a reversed firmware that will sniff data passing by the router.
Solutions & Recommendations:
Surely changing the configuration port will be a good idea because problems
of mass-scanning attacker will be solved, at least configuration page will
not be so evident.
An other good idea would be to give access privileges to first-time
configuration just to internal ip adresses. RAS password could be stored in
a file different from the html, or that part of configuration could be done
with a Java Script.
An easy user-side solution could be just to install a firewall with
appropriate rules, so no-one out of the intranet could have access to it.
Credits:
Davide Del Vecchio would like to thank his company Phoenix Sistemi and the
CED group especially
Bartolomeo Bufi, Gianluca Nanoia, Antonio Lapadula and Michele Tumolo.
Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.
^^^^^^^^
Please send suggestions, updates, and comments to:
Davide Del Vecchio security@phoenixsistemi.com of PhoeniX Sistemi.
http://www.phoenixsistemi.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic