**************************************************************************************************** CRIOLABS - Product: ADSL Barricade (SMC7204BRA) - Type: Router - Company: SMC Networks. - Firmware: Firmware v1.01 and prior **************************************************************************************************** ## Description ## The ADSL Barricade™ (SMC7204BRA) is an external Ethernet standards based ADSL modem and Router that provides high-speed Internet access to both the residential and the small and home office (SoHo) user. This new Modem/Router provides unrivaled asymmetric high-speed data transport over a single copper pair linking branch offices, home offices and individual subscribers to their network service providers, including Internet service providers. With the ADSL Barricade™, investments are protected through the support of popular DSL connection models such as PPP over Ethernet (PPPoE), PPP over ATM (PPPoA), bridging and routing. The Barricade ADSL supports two modes of operation. This modem can be configured to function as bridge to support a single computer, then as the network grows, it can be reconfigured as full featured Router to provide Internet access to multiple computers. Another benefit of using the SMC7204 BRA in router mode is that you are also protected by the built-in SPI/NAT firewall. Other features that are available in Router mode include VPN pass-through, remote access communications, and DHCP Server easy network setup. This new high-performance ADSL Gateway has an easy-to-use web-based management user interface that can be used to configure and manage your network via a local or remote computer. For added control, this modem can also be managed via the Command Line Interface (CLI), which can be initialized through a Telnet session, or through a Windows-based configuration tool. ## Vulnerabilities ## Denial of service in the web-based management user interface of ADSL Barricade (SMC7204BRA) Router. ## D.O.S ## A remote authenticated user can perform a D.O.S sending 110 characters to id variable on MainPage or MenuId variable on MenuPage in the web-based management user interface. Also the same D.O.S is possible in "Action" script. http://IP/MainPage?id= A x 110 http://IP/MenuPage?MenuId= A x 110 http://IP/Action?id= A x 110 http://IP/Action?id=58&ex_param1= A x 110 Practically all variables in "Action" script have the problem, for example: id, ex_param1, dns_server_ip_1, dns_server_ip_2, dns_server_ip_3, dns_server_ip_4.. The router crashes, and it is necessary to turn it off. More web-based management user interface of SMC routers can be vulnerables to this D.O.S. You can send a mail to us about this issue in another SMC router. contact@criolabs.net security@criolabs.net ## History ## Vendor Contacted: 26/07/2004 SMC Networks will improve these aspects of security in the next versions of firmware. Meanwhile, SMC advises to the users to do upgrade to Firmware v1.01. This version has the remote management deactivated by defect, and if the user wants to activate it, it allows him to restrict the IP directions that are authorized to connect. Firmware v1.01 : http://www.smc-europe.com/english/support/driver_manual/broad/download/7204BRA/7204BRA_FWv1.01.zip ## Credits ## Criolabs staff. http://www.criolabs.net