[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Phoenix Sistemi Security Advisory: ELSA Lancom 1100 Office
From:       Davide Del Vecchio <security () phx ! it>
Date:       2001-12-26 21:17:21
[Download RAW message or body]

Phoenix Sistemi Security Advisory
December 26, 2001

ELSA Lancom 1100 Office Security Problems

Synopsis:

Phoenix Sistemi Security Responsable has to notice that ELSA Lancom 1100 
Office suffers some leaks of security in its configuration. An attacker 
could steal RAS passoword, change routing tables and place a modified 
firmware to sniff data.

Affected Versions:

ELSA Lancom 1100 Office (tested)
Probably all Lancom serie.

Description:

ELSA Lancom 1100 Office has to be configured by broswer on an http 
connection over the port 80 on the router IP. An intruder could connect 
with his default browser to the router ip (intranet or internet) and change 
the routing tables or worst steal the RAS password that is stored in a 
field covered with asteriscs. The passwords are in clear text and could be 
seen just editing the html source.
It's not all, the upgrade of the firmware could be done remotely just going 
in its appropriate page placed in the configuration table, the intruder 
could upgrade a reversed firmware that will sniff data passing by the router.

Solutions & Recommendations:

Surely changing the configuration port will be a good idea because problems 
of mass-scanning attacker will be solved, at least configuration page will 
not be so evident.
An other good idea would be to give access privileges to first-time 
configuration just to internal ip adresses. RAS password could be stored in 
a file different from the html, or that part of configuration could be done 
with a Java Script.
An easy user-side solution could be just to install a firewall with 
appropriate rules, so no-one out of the intranet could have access to it.

Credits:

Davide Del Vecchio would like to thank his company Phoenix Sistemi and the 
CED group especially
Bartolomeo Bufi, Gianluca Nanoia, Antonio Lapadula and Michele Tumolo.

Disclaimer:

The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties with regard to this information. In no event shall the author 
be liable for any damages whatsoever arising out of or in connection with 
the use or spread of this information. Any use of this information is at 
the user's own risk.

^^^^^^^^

Please send suggestions, updates, and comments to:

Davide Del Vecchio security@phoenixsistemi.com of PhoeniX Sistemi.

http://www.phoenixsistemi.com

[prev in list] [next in list] [prev in thread] [next in thread]