Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Device (Router/Bridge/Hub)  >   Lancom 1100 Office Vendors:   ELSA AG
ELSA Lancom Router Discloses the Administrator Password to Remote Users, Allowing Them to Change the Router's Configuration and Upload Modified Firmware
SecurityTracker Alert ID:  1003065
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 27 2001
Impact:   Disclosure of authentication information, Modification of authentication information, Modification of system information
Exploit Included:  Yes  
Version(s): ELSA Lancom 1100 Office (tested); other Lancom routers may also be affected
Description:   Phoenix Sistemi issued a security advisory warning of an information disclosure and access control vulnerability in the ELSA Lancom 1100 Office access router. A remote user can obtain the administrator password, change routing tables, and upload modified firmware.

It is reported that the default configuration allows a remote user to connect to the router via port 80 with a web browser and obtain the remote access password, which is apparently stored in clear text. The remote user can also change the router's configuration and can remotely upgrade the firmware.

Impact:   A remote user can obtain the administrator password, change routing tables, and upload modified firmware.
Solution:   No solution was available at the time of this entry.

The author of the report has provided the following recommendations:

- Change the configuration port.
- Give access privileges during initial configuration to only internal ip addresses.
- Install a firewall with appropriate rules.

Vendor URL: (Links to External Site)
Cause:   Access control error, Configuration error

Message History:   None.

 Source Message Contents

Subject:  Phoenix Sistemi Security Advisory: ELSA Lancom 1100 Office

Phoenix Sistemi Security Advisory
December 26, 2001

ELSA Lancom 1100 Office Security Problems


Phoenix Sistemi Security Responsable has to notice that ELSA Lancom 1100 
Office suffers some leaks of security in its configuration. An attacker 
could steal RAS passoword, change routing tables and place a modified 
firmware to sniff data.

Affected Versions:

ELSA Lancom 1100 Office (tested)
Probably all Lancom serie.


ELSA Lancom 1100 Office has to be configured by broswer on an http 
connection over the port 80 on the router IP. An intruder could connect 
with his default browser to the router ip (intranet or internet) and change 
the routing tables or worst steal the RAS password that is stored in a 
field covered with asteriscs. The passwords are in clear text and could be 
seen just editing the html source.
It's not all, the upgrade of the firmware could be done remotely just going 
in its appropriate page placed in the configuration table, the intruder 
could upgrade a reversed firmware that will sniff data passing by the router.

Solutions & Recommendations:

Surely changing the configuration port will be a good idea because problems 
of mass-scanning attacker will be solved, at least configuration page will 
not be so evident.
An other good idea would be to give access privileges to first-time 
configuration just to internal ip adresses. RAS password could be stored in 
a file different from the html, or that part of configuration could be done 
with a Java Script.
An easy user-side solution could be just to install a firewall with 
appropriate rules, so no-one out of the intranet could have access to it.


Davide Del Vecchio would like to thank his company Phoenix Sistemi and the 
CED group especially
Bartolomeo Bufi, Gianluca Nanoia, Antonio Lapadula and Michele Tumolo.


The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties with regard to this information. In no event shall the author 
be liable for any damages whatsoever arising out of or in connection with 
the use or spread of this information. Any use of this information is at 
the user's own risk.


Please send suggestions, updates, and comments to:

Davide Del Vecchio of PhoeniX Sistemi.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC