Eircom D1000 router password sent to client

rat_race

See this other thread on the Eircom forum, that I created (if I am allowed to do that): http://www.boards.ie/ttfthread/2057337389

Your opinions on this?

timmywex

So people's admin passwords are accessible and viewable by anyone with access to 192.168.1.254, which, by default, you expose to the outside internet.

What do you mean by this? 192.168 is an internal only address space (Not exposed to outside internet). Or is there a corresponding external IP to the login page?

LoLth

wait wha? 192.168.1.254 is accessible from the WAN side of an eircom router?

how?

Its still an issue mind, if you have a guest and they join your wireless network (or they somehow manage to join without you noticing) then they have LAN access and can see that page, in which case they can then view source and edit your router settings to their heart's desire. (Assuming of course that page isn't in a password protected section of the router config section).

As for danger, it would be fairly straightforward to write a script to scrape that info from a LAN accessible resource so, virus/malware drive by from a browser is not beyond the realms of possibility.

rat_race

timmywex wrote: »

What do you mean by this? 192.168 is an internal only address space (Not exposed to outside internet). Or is there a corresponding external IP to the login page?

It's still a big deal either way. A business could have 50 people on their internal network, visitors plugging into the network, etc. Anyone could get access to the router.

And yeah, you can access the login page from the external IP. These are usually left exposed by default so that Eircom employee's can easily login to routers if there are issues. At least they do that with Fibre, that I'm sure of. Try browsing to your IP address, for example.

I haven't actually tested external access via the D1000 as we are waiting on the actual DSL connection to be set-up.

I am absolutely shocked. When it comes to security, this is beyond incompetence. You do not send the password to the client when they load the page, there is no excuse for it.

davo2001

rat_race wrote: »

It's still a big deal either way. A business could have 50 people on their internal network, visitors plugging into the network, etc. Anyone could get access to the router.

And yeah, you can access the login page from the external IP. These are usually left exposed by default so that Eircom employee's can easily login to routers if there are issues. At least they do that with Fibre, that I'm sure of. Try browsing to your IP address, for example.

I haven't actually tested external access via the D1000 as we are waiting on the actual DSL connection to be set-up.

I am absolutely shocked. With it comes to security, this is beyond incompetence. You do not send the password to the client when they load the page, there is no excuse for it.

Would you really use this router in a business environment though?

rat_race

davo2001 wrote: »

Would you really use this router in a business environment though?

Irrelevant...let's stick to the security issue.

timmywex

rat_race wrote: »

It's still a big deal either way. A business could have 50 people on their internal network, visitors plugging into the network, etc. Anyone could get access to the router.

And yeah, you can access the login page from the external IP. These are usually left exposed by default so that Eircom employee's can easily login to routers if there are issues.

I am absolutely shocked. With it comes to security, this is beyond incompetence. You do not send the password to the client when they load the page.

Definitely an issue - its still a password exposure, another hint: Don't use a good password at all as its floating around in cleartext clearly :-)

Wonder if its a fault on eircom or Zyxel or whoever the manufacturer is

rat_race

timmywex wrote: »

Definitely an issue - its still a password exposure, another hint: Don't use a good password at all as its floating around in cleartext clearly :-)

Wonder if its a fault on eircom or Zyxel or whoever the manufacturer is

Eircom, it's customized code. Even if it was the manufacturer, the ISP should have some basic security standards and tests.

AnCatDubh

rat_race wrote: »

Try browsing to your IP address, for example.

Correct (from the LAN/WLAN) - the D1000 will by default respond to a request to access your external ip address by resolving to the D1000 login page, but this doesn't resolve when connecting from outside, so at least that limits the exposure to an internal threat.

I don't like the D1000. I had a beautiful non wifi enabled netopia cayman something or other (years old and was working fine), and recently due to an unrelated issue I was ''upgraded' to this newer model and they took my netopia away :mad: (I wasn't there at the time) I've been through two of them (D1000s) thus far. Bummer. Goddammit I want my netopia back [at least ignorance was bliss ]

AnCatDubh

This is more or less as the OP is suggesting - plain text transmission of the admin password to the login page itself, so if someone is on the network - assume them to have the admin password. Infact it appears that you can't stop them from having it. Not much good if you are trying to block the young lad's ipod.

I thought maybe with a change of the default password it would hide it, but nope it just puts the current password in the clear along with the var random_passwd which i'm guessing is original factory set default - nice of them that.

Mind you if someone has physical access to where the router is - they can just just do a hard reset of it and use the handy code on the bottom of the router to slurp themselves in (albeit destroying any custom configuration so maybe you'd cop it).

In the configuration of the router there is a setting when you go to reset the admin password "Enable Local admin login" which i've no idea what it does or perhaps that's what it doesn't do if you clear it. The manual says "Select this to enable local adminstrator login." and by default its checked. What if I uncheck it? What will it do? Maybe its not related at all. I dunno. I know, I know, click it and see :O

Um..... you best trust who you let into your house. With that in mind (assuming you are trusting your family, significant other, house mates, etc..) it is completely inappropriate to run this abomination of a router as an open access thing (might be inappropriate to do this anyhow but maybe there's a use case somewhere).

timmywex

AnCatDubh wrote: »

Um..... you best trust who you let into your house. With that in mind (assuming you are trusting your family, significant other, house mates, etc..) it is completely inappropriate to run this abomination of a router as an open access thing (might be inappropriate to do this anyhow but maybe there's a use case somewhere).

Or your neighbours or anyone nearby that manages to connect to your wifi :-) Either via being open or ****ty WEP used

Mr. G

You could try to see if you can lock down the web admin to a specific IP address, on a specific port on HTTPS for now and turn off remote administration.

It worries me about what else is vulnerable in the router and if this is how Eircom treat their own internal systems they have inside their own organisation....

syklops

rat_race wrote: »

See this other thread on the Eircom forum, that I created (if I am allowed to do that): http://www.boards.ie/ttfthread/2057337389

Your opinions on this?

Shodan cannot find any mention of "Zyxel"+"D-1000", "Eircom"+D1000", nor various other permutations.

From what I can see, remote management is turned off by default. Someone with the wherewithal to turn it on, should have the wherewithal to change the password.


Under "Ways to manage your device" is says:

• Web Configurator. This is recommended for
everyday management of the Device using a
(supported) web browser.
• Command Line Interface. Line commands are mostly used for troubleshooting by service
engineers.
• TR-069. This is an auto-configuration server used to remotely configure your device

I'd be more concerned about TR-069 to be honest.