lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200301231538.h0NFcCQ14740@web186.megawebservers.com>
From: http-equiv at malware.com (http-equiv@...ite.com)
Subject: SPRINT ADSL [Zyxel 645 Series Modem]


Thursday, January 23 2003

Sprint FastConnect[insert little registration r here]ADSL provides 
the Zyxel series of modem/routers to their customers.  The problem is 
all these devices are factory set with default commonly known 
passwords and logins and include a little http, ftp and telnet 
server.  This allows for remote configuration of the network settings 
and host of other things. Including uploading and downloading the 
modem configuration file rom-0, rebooting the modem, changing the 
modem's remote management login and password, various other "high-
tech" fiddling possibilities. Through both telnet and web.

Certainly not of interest or of need to your generic subscriber.

Quick pretend examination of:

Sprint NETBLK-SPRINTBLK (NET-198-67-0-0-1) 
198.67.0.0 - 198.70.255.255
LTD SPRINT FLA ANS ISP FON-332652953698729 (NET-198-70-208-0-1) 
198.70.208.0 - 198.70.223.255

shows 800 out of 2000 [of 100,000 or so] affected modems. Closer 
examination confirms:

                    Copyright (c) 1994 - 2002 ZyXEL Communications 
Corp.

                              P645ME+ Main Menu

     Getting Started                      Advanced Management
       1. General Setup                     21. Filter Set 
Configuration
       3. Ethernet Setup                    22. SNMP Configuration
       4. Internet Access Setup             23. System Password
                                            24. System Maintenance
                                            25. IP Routing Policy 
Setup
     Advanced Applications                  26. Schedule Setup
       11. Remote Node Setup
       12. Static Routing Setup
       15. SUA Server Setup                 99. Exit






                          Enter Menu Selection Number:   

punching in on our replica modem, number four [4], we get:


                         Menu 4 - Internet Access Setup

                    ISP's Name= MyISP
                    Encapsulation= PPPoE
                    Multiplexing= LLC-based
                    VPI #= 8
                    VCI #= 35
                    Service Name=
                    My Login= grandpamalware@...ware.com
                    My Password= ********
                    Single User Account= Yes
                    IP Address Assignment= Dynamic
                      IP Address= N/A
                    ENET ENCAP Gateway= N/A




                    Press ENTER to Confirm or ESC to Cancel:

Press ENTER to Confirm or ESC to Cancel:  

Playing with our replica modem a bit more we GET:

ftp> open malware.com
Connected to malware.com.
220 Sprint FTP version 1.0 ready at Wed Jan  5 17:20:47 2000
User (malware.com:(none)):
331 Enter PASS command
Password:
230 Logged in
ftp> get rom-0
200 Port command okay
150 Opening data connection for RETR rom-0
226 File sent OK
ftp: 16384 bytes received in 2.03Seconds 8.07Kbytes/sec.
ftp>

Due to our modem only being a replica, we are unable to determine 
whether uploading our custom crafted rom-0 file from our second 
replica modem to our first, will (a) register the user data from 
there to there inclusive of user name and password and or (b) 
overwrite the configuration file in such a way our modem then becomes 
useless.

But without a doubt, we are not happy to see Grandpappy's private 
email address out in the open for the whole world to see.

Notes:

1. The provider suggests that slapping up a web page with 
instructions to disable this "feature" will be the solution. We would 
suggest fire-walling off the entire affected user base ftp, http and 
telnet ports, rolling out the trucks, physically reconfiguring each 
and every affected subscriber's modem or replacing them
2. PRIVACY PRIVACY PRIVACY. In this day and age, it is all we have 
left !
3. http://www.wired.com/news/infostructure/0,1377,57342,00.html
4. Victims of this contact your provider asa possible and have them 
hand-hold you through disabling this "feature". Better yet, insist 
they send over the installer to do it for you. After all it should 
have been done at time of installation.

End Call



-- 
http://www.malware.com





-- 
http://www.malware.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ