| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 06 Jul 2004 13:37:44 +0100 From: Adam Laurie <adam@...roup.co.uk> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com, Adam Laurie <adam@...roup.co.uk> Subject: backdoor menu on conexant chipset dsl router (Zoom X3) i have just installed an adsl modem sold under the brand of Zoom X3 http://www.zoom.com/products/adsl_overview.html and was apalled to find that an nmap scan of the external address immediately came up with the following: PORT STATE SERVICE 23/tcp open telnet 80/tcp open http 254/tcp open unknown 255/tcp open unknown ports 23 and 80 give access to the configuration menu and html interface as would be expected, but, although you can control access to the html interface, there is no control over the telnet port other than password. worse still, telnetting to port 254 gives you access to another menu, which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.27", and uses the *DEFAULT* HTML management password, even if you have changed it to something else. i.e. changing the HTML password does not change this one. from this menu you can change DSL settings and issue a complete "Factory Reset". there is a menu option to change the password, but this does not appear to work. port 255 accepts connections, but I have not investigated further. at the minimum this carries a risk of a trivial DOS attack (factory reset and everthing stops working), and may actually have other more serious implications. i am disgusted that in this day and age products like this are still being shipped with such basic insecurities, and, accordingly, will not be wasting my time by looking into it any further, and will be taking the router back and exchanging it for something (hopefully) better thought out. to their credit, Zoom responded immediately with a workaround when i reported the problem, so they are clearly already aware. fyi, the workaround is to create dummy "Virtual Servers" on each of the ports that blackhole any incoming connections. this appears to work. connexant list several other high profile retail modem manufacturers and pc oems, so i leave it as an exercise for the reader to work out other manufacturer/vulnerability combinations. http://www.conexant.com/support/md_supportlinks.html enjoy, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 The Stores http://www.thebunker.net 2 Bath Road http://www.aldigital.co.uk London W4 1LT mailto:adam@...roup.co.uk UNITED KINGDOM PGP key on keyservers _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists