[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Netopia ISDN Router 650-ST Vulnerabilities

Title: Netopia ISDN Router 650-ST Vulnerabilities
Released by:
Date: 15th November 2000
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Device Specifics

=================

Name:         Netopia ISDN Router 650-ST

Manufacturer: Netopia

Version:      Firmware 3.3.2

Risk:         Viewing of all system logs without login

Advisory:     2000-03



Problem

=======



The system logs (both device history and WAN history) can be read

from the telnet prompt without logging into the system.



Details

=======



The logs of the router can be viewed from the telnet login screen by

pressing a certain key combination.



To access the WAN event log type Ctrl-F at the login screen

To access the device event log type Ctrl-E at the login screen



Access to these logs may allow access to sensitive information such

as usernames or passwords to an arbitary internet user.



Fixes

=====



None available.





Workaround

==========



Do not allow telnet access to your router to untrusted hosts.





Acknowledgements

===============



This vulnerability was discoverd by Bok 

Further investigation by Andrew Wellington (aka proton)





Disclaimer

==========

THIS INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.

ANDREW WELLINGTON DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR

IMPLIED,

INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A

PARTICULAR PURPOSE. IN NO EVENT SHALL ANDREW WELLINGTON BE LIABLE FOR

ANY DAMAGES WHATSOEVER INCLUDING, BUT NOT LIMITED TO, DIRECT,

INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR

SPECIAL DAMAGES, EVEN IF ANDREW WELLINGTON HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES.





PGP Key

=======



PGP key is available at keyserver.net

Key ID: 0x77168373

Fingerprint:

E8C3 789F 30C3 658E 1D90  56EB 0097 3EE3 7716 8373



-----BEGIN PGP SIGNATURE-----

Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>



iQA/AwUBOf1XywCXPuN3FoNzEQLiMgCdFyrc4kxfld6EL0/bEHYJ0+fF6GgAoJl+

KZYtG//tuDj7avHoUtGNiVZ/

=jaBx

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.