ELSA Lancom Router Discloses the Administrator Password to Remote Users, Allowing Them to Change the Router's Configuration and Upload Modified Firmware
SecurityTracker Alert ID: 1003065|
SecurityTracker URL: http://securitytracker.com/id/1003065
(Links to External Site)
Date: Dec 27 2001
Disclosure of authentication information, Modification of authentication information, Modification of system information|
Exploit Included: Yes |
Version(s): ELSA Lancom 1100 Office (tested); other Lancom routers may also be affected|
Phoenix Sistemi issued a security advisory warning of an information disclosure and access control vulnerability in the ELSA Lancom 1100 Office access router. A remote user can obtain the administrator password, change routing tables, and upload modified firmware.|
It is reported that the default configuration allows a remote user to connect to the router via port 80 with a web browser and obtain the remote access password, which is apparently stored in clear text. The remote user can also change the router's configuration and can remotely upgrade the firmware.
A remote user can obtain the administrator password, change routing tables, and upload modified firmware.|
No solution was available at the time of this entry.|
The author of the report has provided the following recommendations:
- Change the configuration port.
- Give access privileges during initial configuration to only internal ip addresses.
- Install a firewall with appropriate rules.
Vendor URL: www.elsa.com/international/europe/produkte/netzwerk/lc_1100_off.htm (Links to External Site)
Access control error, Configuration error|
Source Message Contents
Subject: Phoenix Sistemi Security Advisory: ELSA Lancom 1100 Office|
Phoenix Sistemi Security Advisory
December 26, 2001
ELSA Lancom 1100 Office Security Problems
Phoenix Sistemi Security Responsable has to notice that ELSA Lancom 1100
Office suffers some leaks of security in its configuration. An attacker
could steal RAS passoword, change routing tables and place a modified
firmware to sniff data.
ELSA Lancom 1100 Office (tested)
Probably all Lancom serie.
ELSA Lancom 1100 Office has to be configured by broswer on an http
connection over the port 80 on the router IP. An intruder could connect
with his default browser to the router ip (intranet or internet) and change
the routing tables or worst steal the RAS password that is stored in a
field covered with asteriscs. The passwords are in clear text and could be
seen just editing the html source.
It's not all, the upgrade of the firmware could be done remotely just going
in its appropriate page placed in the configuration table, the intruder
could upgrade a reversed firmware that will sniff data passing by the router.
Solutions & Recommendations:
Surely changing the configuration port will be a good idea because problems
of mass-scanning attacker will be solved, at least configuration page will
not be so evident.
An other good idea would be to give access privileges to first-time
configuration just to internal ip adresses. RAS password could be stored in
a file different from the html, or that part of configuration could be done
with a Java Script.
An easy user-side solution could be just to install a firewall with
appropriate rules, so no-one out of the intranet could have access to it.
Davide Del Vecchio would like to thank his company Phoenix Sistemi and the
CED group especially
Bartolomeo Bufi, Gianluca Nanoia, Antonio Lapadula and Michele Tumolo.
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.
Please send suggestions, updates, and comments to:
Davide Del Vecchio firstname.lastname@example.org of PhoeniX Sistemi.