• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: LinkSys EtherFast Router Password HTML Source Revealing Vulnerability

Severity: HIGH

Description:

Linksys EtherFast routers are small four port routers designed to optimize the use of DSL or Cable connections. EtherFast routers provide advanced features such as Network Address Translation, and DHCP Serving.

A problem with the EtherFast routers make it possible for a user to gain access to sensitive information. The problem is in the handling of passwords by the router.

An EtherFast router may be administrated by the web interface, which is served to the administrator as part of the firmware. A design flaw in the firmware allows the retrieval of passwords through the HTML used for the administrative interface.

Upon viewing the router administration page index.htm, the router reveals the ISP password within the HTML source. This may be seen by viewing source, and looking at lines with the following structure:

<b>User Name: &nbsp;</b></font><input name=pppoeUName size=20

maxlength=63 value=USERS_ISP_LOGIN_HERE>

</td></tr><tr><th bgcolor=6666cc>&nbsp;</th>
<td>&nbsp; &nbsp; <font face=verdana size=2><b>Password: &nbsp;
&nbsp;</b></font><input type=password name=pppoePWD size=20 maxlength=63

value=USERS_ISP_PASSWORD_HERE></td>

Within the Passwd.htm file, the administrative password to the router can be found by looking for the following pattern within the HTML source:

<br>Router Password: &nbsp;</th><td> <br> &nbsp;
<input type=password name=sysPasswd size=25 maxlength=63

value=ROUTER_PASSWORD_HERE>

<font color=blue face=Arial size=2>
(Enter New Password)</td></tr> <tr><th bgcolor=6666cc align=right><font
color=white face=Arial size=2>&nbsp;</th> <td> &nbsp;
<input type=password name=sysPasswdConfirm size=25 maxlength=63

value=CONFIRM_OF_ROUTER_PASSWORD_HERE>

This information is only accessible from within the private network of the EtherFast router. The router does not communicate via a secure channel such as SSL, which also makes it possible for a user on the private network behind the router to sniff the wire using a tool such as tcpdump or Ethereal, and extract the passwords.

Affected Products:

• Linksys EtherFast BEFSR41 Router 1.35.0
• Linksys EtherFast BEFSR41 Router 1.36.0
• Linksys EtherFast BEFSR41 Router 1.37.0
• Linksys EtherFast BEFSR41 Router 1.38.0

References:

• Hypoclear: Linksys EtherFast 4-Port Cable/DSL Router Design Flaw

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.