Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Mark (Mookie) (markZANG.COM)
Date: Mon Apr 16 2001 - 06:14:05 CDT
>Subject: multiple vulnerabilities in Alcatel ADSL-Ethernet bridge
>Researchers associated with the San Diego Supercomputer Center at the
>University of California, San Diego have identified multiple
>implementation flaws in the Alcatel Speed Touch ADSL "modem" (actually
>an ADSL-Ethernet router/bridge). These flaws can allow an intruder to
>take complete control of the device, including changing its
>configuration, uploading new firmware, and disrupting the
>communications between the telephone central office providing ADSL
>service and the device.
Weren't these issues actually discovered by Renaud Deraison in November 2000?
He added code to his Nessus program to check for the problems and didn't
consider it worth an advisory since the exploit depended on the IP 10.0.0.138
being spoofable, possible on some ISPs who do VPNs that way but generally
a lower risk than the full internet range.
You'd think the normal process of informing the manufacturer to provide a
window to have a patch available would be followed. Instead a few people
were told, then the press and then CERT, sounds more like a PR stunt to me.
The value add tools are useful but the manuafacturer could have offered a
better fix than binary patching etc. Sounds like too much time was spent on a
All your japboy are belong to us.