lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 3 Aug 2011 10:02:07 +1000
From: xD 0x41 <secn3t@...il.com>
To: Liam Tung <liamjtung@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Telstra Thomson router - news item for
	CSO.com.au

Hello to those who responded,
      My MAIN concern with this was the actual reporting of it, and since i
am actually a BP customer, it puts me in an awfully compromising position at
the moment, as i do not want to end up stuffed up,. for disclosing what
shuild have been done maybe a month ago.. albeit, the bug was only found the
day i did post it.
At the moment, it seems all the gateways on Bigpond are affected... and all
the models tested,sofar allow this, leading me to not even test any older
models.. It is a bug,it must be fixed... PLEASE read on... it is important.

i do not know how else to say this but, PLEASE, patch this up , it is not
really any good to people without some knowledge of atleast how a router
forwards traffic and manages your internet.

For this reason, as i stated earlier In the PoC code.
I was genuiley worried about disclosing this, but i had to, because idf
rather be on this side of the fence than sitting in the middle not knowing
HOW to go about reporting.
I have reported atleast 10 bugs on various things, even one freebsd kernel
patch is through me, however, those are well structured secuity teams who
DONT arrest the person who finds the bugs, rather they are reqarded for at
the last disclosure.

As you well kow, this could be nasty in the right hands, but at the ssame
time, I would like to urge telstra to take the Lead  and setup a REAL
security team/forum/rules-for-disclosure.
I urge CSO/technicolor, to help me do this.

The second you have this for me, I would be very happy in future to use
those protocols.

Please do not point the finger but rather, thank me and thank Talon, for
both of us, would never had been disclosed if not for it being discussed
first (in chatrooms etc as you well know....)...the day it was disclosed was
the day it was found.there is NO connections between my channel/chatroom,and
any idiots who go around stealing.
You have still MUCH time to patch, please try to get this done.
Considering that the gateway will add a @bigpond.com to your host, well it
is rather huge incentive for scammers,to use legitimate systems, to
compromise more.

*TechniColor , is another huge company, again, i am glad the replys were
made regarding this, and i dont submit anything to
www.exploit-db.comrubbish sites.
*

I would be happy to work with Telstra anytime at NO fee just to secure my
own systems.

I hope i have cleared abit of why i went about things as i have... i do not
want to become another 'cecil' , get my drift ?
If i see PROPER protocols in place for people who disclose, i would use
them.
In the case of technicolor, I am just glad they are now able to get
themselfs patched, and again, wopuld be happy to help.

FOR Telstra/Bigpond and Iprimus (yes your also affected i believe) ; When i
login to my email @home base ISP, i do not see 'security' in the
page,clearly.
Not last i looked, and this is ofcourse verymuch normal,its time things
changed.

Maybe it is time that there is some hard-coded (manner of speech) ,rules and
protocol for this type of problems.Rather than sniffing routers and sneaking
around, yo9u will only find the people who have 0 skills all sending you
emails hoping to score a winner... specially after what has happened with
cecil.
I hope there is a much more visible security section and ebook/pdf wich
confirms things in 'paper'.

This is why Australia is still one of the biggest targets,and will remain
so, unless ISP's start to SPEAK with people, rather than arrest them.

In the case of cecil, I have NO pity, he was NO skilled looser,and will
always be one.For those who are not though, I think almost every telstra
user now at moment, is probably to scared to even do anything online
regarding money or even erform some simple scanning/testing,this is thanks
to the press coverage of one idiotic kid/truckie or whatever he thinks he
was, and i see this just in 'chats', and worse, other countrys are now
poking our systems.

*This is wrong.*

ISP/Companies here in AU,MJST start to setup visible,thorough line and
method for those who DO wish to assist and in my case and another ,we both
use Bigpond and id hate to be comprmised thru a gateway service.

I hope this comes loud and clear, to ALL ISP within Australia ,and hopefully
we can get things up-to-date like many countries have done now wich has led
to MUCH better disclosure rates,and no arrests because the skilled people
will shine through but those who are pathetic will not.
Hence you would not get anything bad from this,to setup effective disclosure
policy, is security,and should be treated as if it were on and offline,not
just online being some cesspit where people are only NOW starting to catchup
in AU,thanks to idiots, who do not disclose things like this.
I can handle maybe a local kernel exploit,and sure, id even use to test my
systems, you do not see those guys going to jail etc... instead, they get
paid. This is lwhy most of the world except au,is behind and has been since
1991 thx to a lie tfrom the govt,the NBN was meant to be installed over
10years ago.

NON disclosure and then making some automatic 'gate' hacking system, would
have been a really nasty wway to disclose things...
I hope i have shed some light on whys/ifs and whats.
If you are running a thomson,i would suggest to try the PoC by hand, and
then contact the vendor, restrict ALL remote-assistance through ALL routers
used until the firmware is up to date.
I shiver when thinking how old the code must be.
Reagrds to those affected, and apologies you also like me, have to rely on
one major isp and a few smaller ones.. it is a joke,an unfair monopoly.
Sincerely,
xd--





On 3 August 2011 00:25, Liam Tung <liamjtung@...il.com> wrote:

> Hi Secn3t,
>
>
> I write for the website CSO.com.au and I noticed your report on the Full Disclosure list regarding a vulnerability in Telstra's Thomson router.
>
>
> http://seclists.org/fulldisclosure/2011/Aug/6
>
>
> I was wondering if you could provide a few more details on which models were affected. I believe Telstra requires one of these (see technicolor link) for its BigPond home service.
>
>
> http://www.technicolor.com/en/hi/digital-home/mediaaccess/dsl-fiber/data-wired/adsl/technicolor-st536v6
>
>
> http://go.bigpond.com/broadband/setup/
>
>
> It seems Technicolor, the company that makes the router has responded to your disclosure.
>
>
> Did you notify anyone from Telstra? And have they responded?
>
>
>
>
>
> Liam Tung
> liamjtung@...il.com
> +46 (0)722499865
> Journalist
>
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ