lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <40EA9D18.1040301@algroup.co.uk>
Date: Tue, 06 Jul 2004 13:37:44 +0100
From: Adam Laurie <adam@...roup.co.uk>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com,
   Adam Laurie <adam@...roup.co.uk>
Subject: backdoor menu on conexant chipset dsl router (Zoom X3)


i have just installed an adsl modem sold under the brand of Zoom X3

   http://www.zoom.com/products/adsl_overview.html

and was apalled to find that an nmap scan of the external address 
immediately came up with the following:

   PORT    STATE SERVICE
   23/tcp  open  telnet
   80/tcp  open  http
   254/tcp open  unknown
   255/tcp open  unknown

ports 23 and 80 give access to the configuration menu and html interface 
as would be expected, but, although you can control access to the html 
interface, there is no control over the telnet port other than password.

worse still, telnetting to port 254 gives you access to another menu, 
which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 
3.27", and uses the *DEFAULT* HTML management password, even if you have 
changed it to something else. i.e. changing the HTML password does not 
change this one. from this menu you can change DSL settings and issue a 
complete "Factory Reset". there is a menu option to change the password, 
but this does not appear to work.

port 255 accepts connections, but I have not investigated further.

at the minimum this carries a risk of a trivial DOS attack (factory 
reset and everthing stops working), and may actually have other more 
serious implications.

i am disgusted that in this day and age products like this are still 
being shipped with such basic insecurities, and, accordingly, will not 
be wasting my time by looking into it any further, and will be taking 
the router back and exchanging it for something (hopefully) better 
thought out.

to their credit, Zoom responded immediately with a workaround when i 
reported the problem, so they are clearly already aware. fyi, the 
workaround is to create dummy "Virtual Servers" on each of the ports 
that blackhole any incoming connections. this appears to work.

connexant list several other high profile retail modem manufacturers and 
pc oems, so i leave it as an exercise for the reader to work out other 
manufacturer/vulnerability combinations.

   http://www.conexant.com/support/md_supportlinks.html

enjoy,
Adam
-- 
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
The Stores                    http://www.thebunker.net
2 Bath Road                   http://www.aldigital.co.uk
London W4 1LT                 mailto:adam@...roup.co.uk
UNITED KINGDOM                PGP key on keyservers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ