• A remote denial of service vulnerability affects the 3Com OfficeConnect ADSL Wireless 11g Firewall Router. This issue is due to a failure of the application to handle anomalous network traffic. The problem is reported to present itself when copious amounts of anomalous UDP traffic are targeted at the router. Apparently the router fails to handle the network traffic and crashes. Further information is not available.

• 3Com 3CRADSL72 is reported prone to an information disclosure, and an authentication bypass vulnerability. This issue can allow a remote attacker to disclose sensitive information such as the router name, primary and secondary DNS servers, default gateway. Attackers could also reportedly gain administrative access to the router.If successful, these vulnerabilities can be used to the launch of other attacks against the device and other users on the vulnerable network.
• Exploit: Open using a browser the URL http://device/app_sta.stm

• Acrowave AAP-3100AR routers are susceptible to an authentication bypass vulnerability. This vulnerability allows remote attackers to gain administrative access to affected devices. Due to code reuse, it is likely that other devices are also vulnerable to this issue.
• Telneting to the device and hitting CTRL+C at either the user name or password prompt. It crashes and restarts, during that reboot it provides to a prompt without entering any username or password.

• Reportedly, this issue may be exploited by making a sequence of SNMP requests. A valid community name is not required. After a number of SNMP requests are made, the device will fail to respond to further requests. Additionally, all wireless connections will be dropped, and new connections refused. Under some conditions, the device may also fail to respond on the ethernet interface.
• snmpwalk <ip address> <arbitrary objectID>

• BT Voyager 2000 Wireless ADSL Router is reported prone to a sensitive information disclosure vulnerability. It is reported that 'public' SNMP MIB community strings which, are world readable by default contain sensitive information pertaining to the internal protected network. Data collected by exploiting this vulnerability may be used in further attacks against the victim network.
• snmpwalk -v 1 -c public 192.168.1.1

SNMPv2-MIB::sysDescr.0 = STRING: BT Voyager 2000 Wireless ADSL Router
-snip-
SNMPv2-SMI::transmission.23.2.3.1.5.5.1 = STRING: "name.surname@btbroadband.com"
SNMPv2-SMI::transmission.23.2.3.1.6.0.8 = ""
SNMPv2-SMI::transmission.23.2.3.1.6.5.1 = STRING: "password"
-snip- 

• A vulnerability has been reported for the WBRG54 device that may result in a denial of service. The vulnerability occurs when a vulnerable device receives numerous ICMP packets. In some cases, this will result in the device behaving unpredictably and denying service.

• The Compaq Intel PRO/Wireless 2011B LAN USB Device driver may disclose sensitive information to local attackers. The 128-bit WEP (Wired Equivalent Privacy) Key is stored plaintext in the registry and may be viewed by unprivileged local users.

• DLink DWL-1000AP is a 11Mbps wireless LAN access point product, which is geared towards home users. It supports WEP, MAC address control and user authentication. An oversight in the design of this product creates a vulnerability which may be exploited by an attacker to hijack the access point.The administrative password is stored in plaintext in the default "public" MIB. Any attacker within range, using a SNMP client, can reveal the administrative password by browsing the "public" MIB.
• There issue may be exploited with any SNMP client.

• A default read-only SNMP community string entitled "public" exists on the device. This community string is hard-coded into the product and cannot be changed with the configuration interface. As a result, an attacker may use a SNMP client to browse sensitive information contained in the "public" MIB.
• There issue may be exploited with any SNMP client.

• The Edimax 7205APL is reported to contain a default account ("guest"), which reportedly can't be removed. This account has permissions to create settings back-up files ("config.bin"), which include all passwords for the device in clear text.

• Gigabyte Gn-B46B appliance has been reported prone to an authentication bypass vulnerability. It has been reported that an attacker may save the router HTML menu on a local machine, the attacker may then use this menu to access and configure an accessible router without requiring prior authentication.

• The Compaq Intel PRO/Wireless 2011B LAN USB Device driver may disclose sensitive information to local attackers. The 128-bit WEP (Wired Equivalent Privacy) Key is stored plaintext in the registry and may be viewed by unprivileged local users.

• Linksys WET11 wireless Bridge is affected by a remote authentication bypass vulnerability.
• This issue based on a a failure of validating credentials when processing password changes.
• 'http://www.example.com/changepw.html?data=........................' sents an empty password on the device

• A problem with Logitech wireless mice and keyboards make it possible for a remote users to gain unauthorized access to resources. It is possible for a user with equipment capable of monitoring the frequencies used to communicate between the base receiver and devices to watch the session. Additionally, a user with similar equipment that has been altered may be able to gain control of the session. This problem makes it possible for a remote user to gain console access to an unauthorized system, either by watching keystrokes, or by session hijacking.

• The Longshine LCS-883R-AC-B device will allow tftp connections. An attacker can exploit this vulnerability to connect via tftp to the access point and download the configuration file without any authentication.

• An attacker can exploit this vulnerability to set up an AP with the same SSID (Service Set ID) of a previously configured AP. When the vulnerable system recognizes this malicious AP, it will then begin transmission of data. This can be exploited by an attacker to intercept and decrypt any transmissions received from a vulnerable system. Information obtained in this manner may be used to launch further, destructive attacks against a vulnerable system.

• Motorola WR850G wireless router is reported prone to a remote authentication bypass vulnerability. This issue is caused by a design error and may allow an attacker to ultimately take complete control over the device. A remote attacker can gain access to the Web interface of the affected device by periodically attempting to access restricted pages such as the 'ver.asp' script.

Default IP address: 192.168.0.5
Default WEP: Disabled
Default WEP KEY1: 11 11 11 11 11
Default WEP KEY2: 20 21 22 23 24
Default WEP KEY3: 30 31 32 33 34
Default WEP KEY4: 40 41 42 43 44

• ProSafe Dual Band Wireless VPN Firewall is reported prone to a vulnerability that can allow remote attackers to gain sensitive information about a network protected by the device. This issue presents itself because the appliance uses a default community string for SNMP.

• Netgear WG602 reportedly contains a default administrative account (super/superman). This issue can allow a remote attacker to gain administrative access to the device.

• It has been reported that NetGear WAB102 Wireless Access Point may be prone to multiple password management issues that could allow an attacker to gain access to a vulnerable unit. An attacker may be able to access the unit by supplying any password containing a space. Another issue causes the password to be reset to the default password of '1234' when the unit loses power and is reset.

• The Netgear FM114P ProSafe Wireless Router is vulnerable to information disclosure. If Remote Access and Universal Plug and Play are both enabled on the WAN interface, a UPnP SOAP request can retrieve the username and password for the WAN interface.
• The following request will retrieve the username from the FM114P:

POST /upnp/service/WANPPPConnection HTTP/1.1
HOST: 192.168.0.1:80
SOAPACTION: "urn:schemas-upnp-org:service:WANPPPConnection:1#GetUserName"
CONTENT-TYPE: text/xml ; charset="utf-8"
Content-Length: 289

• The Netgear FM114P allows certain ports to be blocked, both for external users attempting to enter the local network and for local users connecting to the WAN. If Remote Access and Universal Plug and Play are both enabled on the WAN interface, a UPnP SOAP request can cause a connection to be intitiated through a port that is normally blocked.

• Netgear FM114P Wireless Firewalls allow directory traversal using escaped character sequences. It is possible for an unauthenticated user to retrieve the firewall's configuration file by escaping from the /upnp/service directory.
• This vulnerability can be exploited using a web browser. The following proof of concept was provided: http://<ip-or-hostname>:<port>/upnp/service/%2e%2e%2fnetgear.cfg

• Netgear FM114P Cable/DSL Prosafe 802.11b Wireless Firewall may be vulnerable to a denial of service condition. If an unusually large number of TCP connections are made to the device, it will stop responding and cease to process traffic.

• When configured to backup configuration settings, the device will store various information in cleartext. Accessing this file could allow an attacker to obtain sensitive information which could aid the attacker in compromising the web administration interface of the device. It should be noted that the backup option is not enabled by default, but is a common feature used by administrators.

• Nortel Wireless LAN Access Point 2200 series appliances have been reported to be prone to a remote denial of service vulnerability. The issue is reported to present itself when a large network request is handled by one of the Wireless LAN Access Point default administration services. This will reportedly cause the Access Point Appliance Operating service to crash, effectively denying service to legitimate users.
• POC: http://downloads.securityfocus.com/vulnerabilities/exploits/WLAN-DoS.c

Default HTTP: user: default pass: WLAN_AP
Default MAC: 00:90:d1:00:b7:6b (00:90:d1:xx:xx:xx)

Default MAC: 00:90:d1:00:11:11 (00:90:d1:xx:xx:xx)
Default AP Name: MiniAP
Default Channel: 11

Default Admin pass: WLAN_BRIDGE

• A vulnerability has been discovered in the SMC SMC7004VWBR wireless router. The problem is said to occur while processing a sequence of malformed PPTP packets received via the local interface. Successful exploitation of this vulnerability will result in the router no longer responding to internal wireless traffic.

• Symantec Gateway Security 360R may be prone to a weakness that could allow a remote attacker to establish an insecure wireless connection with an internal computer.

Default WEP key one: 10 11 12 13 14 15
Default WEP key two: 20 21 22 23 24 25
Default WEP key three: 30 31 32 33 34 35

• It has been reported that Sweex Wireless Broadband Router/Access Point is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable access point. It has been reported that the access point has a TFTP service running that is enabled by default.Successful exploitation of this issue may allow a remote attacker to gain access to sensitive information that could eventually allow an attacker to completely compromise the access point

Default IP address: 192.168.123.254
Default Service: http
Default username: admin

Default username: admin

• The USR808054 wireless access point is reported to contain a denial of service vulnerability in its embedded web server.When malicious requests are received by the device, it will reportedly crash, denying service to legitimate users of the access point. This issue can be exploited by anybody with network connectivity to the administration HTTP server, no authentication is required.
• Example: perl -e '$a = "GET / " . "A"x250 . "\r\n\r\n" ; print $a' | nc ap 80

• A vulnerability has been reported to affect the implementation of NAT for the ZSR1104WE model Zonet Wireless Router. NAT for the wireless interface on the ZSR1104WE appliance is reported to modify IP data so that on the internal network, the origin address of forwarded traffic is that of the affected appliance. This issue may render the implementation of access controls on an internal host impossible.

Default console pass: 1234
Default telnet pass: 1234

Default IP address: 192.168.1.1

Default telnet username/password: admin/1234
Default web username/password: user/1234