hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Jul 6 2004, 02:48 PM
QUOTE


i have just installed an adsl modem sold under the brand of Zoom X3

  http://www.zoom.com/products/adsl_overview.html

and was apalled to find that an nmap scan of the external address
immediately came up with the following:

  PORT    STATE SERVICE
  23/tcp  open  telnet
  80/tcp  open  http
  254/tcp open  unknown
  255/tcp open  unknown

ports 23 and 80 give access to the configuration menu and html interface
as would be expected, but, although you can control access to the html
interface, there is no control over the telnet port other than password.

worse still, telnetting to port 254 gives you access to another menu,
which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
3.27", and uses the *DEFAULT* HTML management password, even if you have
changed it to something else. i.e. changing the HTML password does not
change this one. from this menu you can change DSL settings and issue a
complete "Factory Reset". there is a menu option to change the password,
but this does not appear to work.

port 255 accepts connections, but I have not investigated further.

at the minimum this carries a risk of a trivial DOS attack (factory
reset and everthing stops working), and may actually have other more
serious implications.

i am disgusted that in this day and age products like this are still
being shipped with such basic insecurities, and, accordingly, will not
be wasting my time by looking into it any further, and will be taking
the router back and exchanging it for something (hopefully) better
thought out.

to their credit, Zoom responded immediately with a workaround when i
reported the problem, so they are clearly already aware. fyi, the
workaround is to create dummy "Virtual Servers" on each of the ports
that blackhole any incoming connections. this appears to work.

connexant list several other high profile retail modem manufacturers and
pc oems, so i leave it as an exercise for the reader to work out other
manufacturer/vulnerability combinations.

  http://www.conexant.com/support/md_supportlinks.html

enjoy,
Adam



Link is unavailable
sent by mailing list
andydis
Jul 6 2004, 04:04 PM
QUOTE
worse still, telnetting to port 254 gives you access to another menu,



whilst doing a pen test for a company i noticed this port open on the router, and yes to my surprise it wasnt even pass protected (accepted any pass)

my guess is its for ISPS managing the router they "loan" or "rent" out.

Settings changeable are;-
(well heeres the screenshot actually:-))


02/13/99 CONEXANT SYSTEMS, INC. 23:08:04
ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.24


ADSL MENU


1. ADSL PERFORMANCE STATUS
2. 24 HOUR ADSL PERFORMANCE HISTORY
3. 7 DAY ADSL PERFORMANCE HISTORY
4. ADSL ALARM HISTORY
5. ADSL TRANSCEIVER CONFIGURATION MENU
6. ADSL LINK RESET








(M)ain
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.