| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 7 Jul 2004 22:33:53 +0100 From: duke_skillz@...o.pt To: Adam Laurie <adam@...roup.co.uk> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Re: backdoor menu on conexant chipset dsl router (Zoom X3) Citando Adam Laurie <adam@...roup.co.uk>: > i have just installed an adsl modem sold under the brand of Zoom X3 > > http://www.zoom.com/products/adsl_overview.html > > and was apalled to find that an nmap scan of the external address > immediately came up with the following: > > PORT STATE SERVICE > 23/tcp open telnet > 80/tcp open http > 254/tcp open unknown > 255/tcp open unknown > > ports 23 and 80 give access to the configuration menu and html interface > as would be expected, but, although you can control access to the html > interface, there is no control over the telnet port other than password. > > worse still, telnetting to port 254 gives you access to another menu, > which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) > 3.27", and uses the *DEFAULT* HTML management password, even if you have > changed it to something else. i.e. changing the HTML password does not > change this one. from this menu you can change DSL settings and issue a > complete "Factory Reset". there is a menu option to change the password, > but this does not appear to work. > > port 255 accepts connections, but I have not investigated further. > > at the minimum this carries a risk of a trivial DOS attack (factory > reset and everthing stops working), and may actually have other more > serious implications. > > i am disgusted that in this day and age products like this are still > being shipped with such basic insecurities, and, accordingly, will not > be wasting my time by looking into it any further, and will be taking > the router back and exchanging it for something (hopefully) better > thought out. > > to their credit, Zoom responded immediately with a workaround when i > reported the problem, so they are clearly already aware. fyi, the > workaround is to create dummy "Virtual Servers" on each of the ports > that blackhole any incoming connections. this appears to work. > > connexant list several other high profile retail modem manufacturers and > pc oems, so i leave it as an exercise for the reader to work out other > manufacturer/vulnerability combinations. > > http://www.conexant.com/support/md_supportlinks.html > > enjoy, > Adam > -- > Adam Laurie Tel: +44 (20) 8742 0755 > A.L. Digital Ltd. Fax: +44 (20) 8742 5995 > The Stores http://www.thebunker.net > 2 Bath Road http://www.aldigital.co.uk > London W4 1LT mailto:adam@...roup.co.uk > UNITED KINGDOM PGP key on keyservers > > Someone please correct me if im wrong but i found reports of this issue that go back to October 2003 ( http://www.securityfocus.com/bid/8765/ ) from reasearch i found that the prob is in the Conexant CX82310-14 chipset with firmware 3.21... O SAPO já está livre de vírus com a Panda Software, fique você também! Clique em: http://antivirus.sapo.pt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists