Scott Drassinower <scottdat_private> probably said: > Brute force, as it is not likely you will know what the number is without > physical access to the router. You can find out the serial number from the firmware, so if you have a legitimate connection to the router you could later (with the ability to enable the password recovery feature) get access back. > If you were to block telnet and snmp access to the router, then you > probably would only have to worry about access via the console port. I > think that FlowPoint's graphical admin tools use snmp, but if they don't, > you'll have to figure out how to block those as well. You can turn off SNMP and/or telnet or only allow either from specific hosts, which is explained in the CLI manual (I don't use the GUI but it is presumably explained there too - the manuals seem quite good about saying you need to set/change passwords and turn things off). > > At 12:07 PM 8/7/99 -0400, Scott Drassinower wrote: > > >It involves a bug that allows a password recovery feature to be utilized > > >from the LAN or WAN instead of just the serial console port. At least on my (fairly recent) flowpoint the password recovery feature is only usable after pressing a recessed button on the back of the unit and then only for 10 minutes. A reasonable compromise between requiring physical access and not taking the router out of service, I thought. > > >Basically, throwing enough 6 digit numbers at a pre-3.0.8 router will > > >allow you to get access to the box to do whatever you want. It appears as > > >if the problem started in 3.0.4, but I am not totally certain about that. > > So the vulnerability is essentially a brute force against telnet/snmp? > > Assuming you filter those out, is there another way of accessing? The 6 digit serial number for a password is only in use if you enable the password recovery feature (when I first found out about the recovery feature I tested the serial number as a password normally and it didn't allow access), so even if you have telnet access it isn't usually enabled. Even without the firewall feature set (which costs more) you can decide which hosts can access telnet or SNMP. Doesn't seem like much of a vunerability, so I'd guess theres more to it than that or it was only a problem on the older hardware. P. -- pir pirat_private pirat_private pirat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:56:03 PDT