[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1089236033.6e3kilpgephc@mail.sapo.pt>
Date: Wed, 7 Jul 2004 22:33:53 +0100
From: duke_skillz@...o.pt
To: Adam Laurie <adam@...roup.co.uk>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: backdoor menu on conexant chipset dsl router (Zoom X3)
Citando Adam Laurie <adam@...roup.co.uk>:
> i have just installed an adsl modem sold under the brand of Zoom X3
>
> http://www.zoom.com/products/adsl_overview.html
>
> and was apalled to find that an nmap scan of the external address
> immediately came up with the following:
>
> PORT STATE SERVICE
> 23/tcp open telnet
> 80/tcp open http
> 254/tcp open unknown
> 255/tcp open unknown
>
> ports 23 and 80 give access to the configuration menu and html interface
> as would be expected, but, although you can control access to the html
> interface, there is no control over the telnet port other than password.
>
> worse still, telnetting to port 254 gives you access to another menu,
> which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
> 3.27", and uses the *DEFAULT* HTML management password, even if you have
> changed it to something else. i.e. changing the HTML password does not
> change this one. from this menu you can change DSL settings and issue a
> complete "Factory Reset". there is a menu option to change the password,
> but this does not appear to work.
>
> port 255 accepts connections, but I have not investigated further.
>
> at the minimum this carries a risk of a trivial DOS attack (factory
> reset and everthing stops working), and may actually have other more
> serious implications.
>
> i am disgusted that in this day and age products like this are still
> being shipped with such basic insecurities, and, accordingly, will not
> be wasting my time by looking into it any further, and will be taking
> the router back and exchanging it for something (hopefully) better
> thought out.
>
> to their credit, Zoom responded immediately with a workaround when i
> reported the problem, so they are clearly already aware. fyi, the
> workaround is to create dummy "Virtual Servers" on each of the ports
> that blackhole any incoming connections. this appears to work.
>
> connexant list several other high profile retail modem manufacturers and
> pc oems, so i leave it as an exercise for the reader to work out other
> manufacturer/vulnerability combinations.
>
> http://www.conexant.com/support/md_supportlinks.html
>
> enjoy,
> Adam
> --
> Adam Laurie Tel: +44 (20) 8742 0755
> A.L. Digital Ltd. Fax: +44 (20) 8742 5995
> The Stores http://www.thebunker.net
> 2 Bath Road http://www.aldigital.co.uk
> London W4 1LT mailto:adam@...roup.co.uk
> UNITED KINGDOM PGP key on keyservers
>
>
Someone please correct me if im wrong but i found reports of this issue that go
back to October 2003 ( http://www.securityfocus.com/bid/8765/ ) from reasearch
i found that the prob is in the Conexant CX82310-14 chipset with firmware
3.21...
O SAPO já está livre de vírus com a Panda Software, fique você também!
Clique em: http://antivirus.sapo.pt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists