lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 25 Apr 2012 13:15:53 +0000
From: Jerome Athias <jerome@...peas.com>
To: full-disclosure@...ts.grok.org.uk
Subject: MoroccoTel Box Default Open Telnet Password

Hi,

a "vulnerability" was identified on MoroccoTel Boxes:
a telnet server is running, open to the web, with a default password of
admin (or 123456)

This critical vulnerability can affect the entire network of a Country.

Solution: change the default password account or modify the default firmware

NB: a new firmware was released, introducing a cipher on the "PPOE
password" (one common, publicly available PPOE account is largely used)

Discovered by NETpeas research team, NETpeas CERT is trying to contact
the ISP

More details:

Password:
telnettry
41.141.*.* -> Response telnet02: ****
Copyright (c) 2001 - 2006 Huawei
MT882a>
***********************************************************
41.141.*.* -> TELNET PASSWORD FOUND: admin

MT882a> show all

 RAS version: V100R001B022 MoroccoTel 2010/02/26
 System   ID: $5.0.152.1(RUE0.C2)3.11.2.151 20110602_V001  [Jun 02 2011
13:54:48]
 romRasSize: 1217226
 system up time:     2:45:45 (f2cc9 ticks)
 bootbase version: VTC_SPI1.5| 2011/05/26


Hostname        = MT882a
Message         = <empty>
ip route mode   = Yes
bridge mode     = Yes
DHCP setting:
  DHCP Mode      = Server
  Client IP Pool Starting Address = 192.168.1.2
  Size of Client IP Pool = 64
  Primary DNS Server     = 8.8.8.8
  Secondary DNS Server   = 8.8.4.4
  DHCP server leasetime  = 86400
TCP/IP Setup:
  IP Address     = 192.168.1.1
  IP Subnet Mask = 255.255.255.0
  Rip Direction  = None
    Version      = Rip-1
  Multicast      = IGMP-v2


RemoteNode     = 0
Rem Node Name  = ISP-0(ISP)
Encapsulation  = PPPoE
Multiplexing   = LLC-based
Channel active = Yes
VPI/VCI value  = 8/35
IP Routing mode= Yes
Bridge mode    = No
PPP Username   = <snip>
	
PPP Password
41.141.*.* ->    = *******
PPP Username_ext2   =
PPP Password_ext2   =
Service name   =
Remote IP Addr        = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA            = Yes
Multicast      = None
Default Route node            = Yes

RemoteNode     = 1
Rem Node Name  = ISP-1
Encapsulation  = RFC 1483
Multiplexing   = LLC-based
Channel
41.141.1.9 -> Port 80 open
41.141.*.* -> active = Yes
VPI/VCI value  = 0/35
IP Routing mode= No
Bridge mode    = Yes
Remote IP Addr        = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0

41.141.*.* -> IP address assignment type = Dynamic

41.141.*.* -> SUA            = No
Multicast      = None
Default Route node            = No

RemoteNode     = 2
Rem Node Name  = ISP-2
Encapsulation  = RFC 1483
Multiplexing   = LLC-based
Channel active = Yes
VPI/VCI value  = 0/32
IP Routing mode= No
Bridge mode    = Yes
Remote IP Addr        = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA            = No
Multicast      = None
Default Route node            = No

RemoteNode     = 3
Rem Node Name  = ISP-3
Encapsulation  = RFC 1483
Multiplexing   = LLC-based
Channel active = Yes
VPI/VCI value  = 8/32
IP Routing mode= No
Bridge mode    = Yes
Remote IP Addr        = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA            = No
Multicast      = None
Default Route node            = No

RemoteNode     = 4
Rem Node Name  = ISP-4
Encapsulation  = RFC 1483
Multiplexing   = LLC-based
Channel active = Yes
VPI/VCI value  = 8/81
IP Routing mode= No
Bridge mode    = Yes
Remote IP
41.141.*.* ->  Addr        = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA            = No
Multicast      = None
Default Route node            = No

RemoteNode     = 5
Rem Node Name  = ISP-5
Encapsulation  = RFC 1483
Multiplexing   = LLC-based
Channel active = Yes
VPI/VCI value  = 0/100
IP Routing mode= No
Bridge mode    = Yes
Remote IP A
41.141.*.* -> ddr        = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA            = No
sMulticast      = None

41.141.*.* -> yDefault Route node            = No
s
 RemoteNode     = 6
aRem Node Name  = ISP-6t
sEncapsulation  = hRFC 1483

Multiplexing   = LLC-based
Channel active = Yes
VPI/VCI value  = 1/39
IP Routing mode= No
Bridge mode    = Yes
Remote IP Addr        = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA            = No
Multicast      = None
Default Route node            = No

RemoteNode     = 7
Rem Node Name  = ISP-7
Encapsulation  = RFC 1483
Multiplexing   = LLC-based
Channel active = Yes
VPI/VCI value  = 0/16
IP Routing mode= No
Bridge mode    = Yes
Remote IP Addr        = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA            = No
Multicast      = None
Default Route node            = No

MT882a>
RAS version            : V100R001B022 MoroccoTel
romRasSize             : 1217226
bootbase version       : VTC_SPI1.5| 2011/05/26
Product Model          : SmartAX

MAC Address            : <snip-inclear>

Default Count
41.141.*.* -> ry Code   : FF

Boot Module Debug Flag : 00

RomFile Version        : 9F

RomFile Checksum       : dceb

RAS F/W Checksum       : 87b7

SNMP MIB level & OID   : 050000000100000002000000030000000400000005

Main Feature Bits      : 86

Other Feature Bits     :
93 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 13 00 00 00
MT882a>
41.141.*.* -> e
41.141.*.* -> ther config
--------------- NDIS CONFIGURATION BLOCK ----------------
type=1 flags=0001
Board/Chassis:1  Lines/Board:1  Channels/Lines:2 Total Channel:2
task-id=8041f1f4 event-q=80458c2c(19) data-q=80458c70(1a) func-id=2
board-cfg=8042c8a4 line-cfg=8042c8bc chann-cfg=8042c8d0
board-pp (8042c8f0)
804273fc
line-pp (8042c8f4)
8042956c
chann-pp (8042c8f8)
804bf8a4 804bfe34
--------------- BOARD DISPLAY ---------------------------
ID  slot#  n-line  n-chann  status  line-cfg  chann-cfg
00      0       1        2    0001  8042c8bc    8042c8d0
--------------- LINE  DISPLAY ---------------------------
ID  line#  board-id  n-chann  chann-cfg
00      1  00              2  8042c8d0
--------------- CHANNEL DISPLAY -------------------------
ID  chan#  line-id  board-id  address name
00      1  00       00        804bf8a4  enet0
01      2  00       00        804bfe34  enet1
MT882a>


-- 
Jerome Athias - NETpeas
VP, Director of Software Engineer
Palo Alto - Paris - Casablanca
Mobile: +212665346454
www.netpeas.com
---------------------------------------------
Stay updated on Security: www.vulnerabilitydatabase.com

"The computer security is an art form. It's the ultimate martial art."


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4899 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ