OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
http-equiv_at_excite.com
Date: Thu Jan 23 2003 - 09:36:17 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Thursday, January 23 2003

    Sprint FastConnect[insert little registration r here]ADSL provides
    the Zyxel series of modem/routers to their customers. The problem is
    all these devices are factory set with default commonly known
    passwords and logins and include a little http, ftp and telnet
    server. This allows for remote configuration of the network settings
    and host of other things. Including uploading and downloading the
    modem configuration file rom-0, rebooting the modem, changing the
    modem's remote management login and password, various other "high-
    tech" fiddling possibilities. Through both telnet and web.

    Certainly not of interest or of need to your generic subscriber.

    Quick pretend examination of:

    Sprint NETBLK-SPRINTBLK (NET-198-67-0-0-1)
    198.67.0.0 - 198.70.255.255
    LTD SPRINT FLA ANS ISP FON-332652953698729 (NET-198-70-208-0-1)
    198.70.208.0 - 198.70.223.255

    shows 800 out of 2000 [of 100,000 or so] affected modems. Closer
    examination confirms:

                        Copyright (c) 1994 - 2002 ZyXEL Communications
    Corp.

                                  P645ME+ Main Menu

         Getting Started Advanced Management
           1. General Setup 21. Filter Set
    Configuration
           3. Ethernet Setup 22. SNMP Configuration
           4. Internet Access Setup 23. System Password
                                                24. System Maintenance
                                                25. IP Routing Policy
    Setup
         Advanced Applications 26. Schedule Setup
           11. Remote Node Setup
           12. Static Routing Setup
           15. SUA Server Setup 99. Exit

                              Enter Menu Selection Number:

    punching in on our replica modem, number four [4], we get:

                             Menu 4 - Internet Access Setup

                        ISP's Name= MyISP
                        Encapsulation= PPPoE
                        Multiplexing= LLC-based
                        VPI #= 8
                        VCI #= 35
                        Service Name=
                        My Login= grandpamalwaremalware.com
                        My Password= ********
                        Single User Account= Yes
                        IP Address Assignment= Dynamic
                          IP Address= N/A
                        ENET ENCAP Gateway= N/A

                        Press ENTER to Confirm or ESC to Cancel:

    Press ENTER to Confirm or ESC to Cancel:

    Playing with our replica modem a bit more we GET:

    ftp> open malware.com
    Connected to malware.com.
    220 Sprint FTP version 1.0 ready at Wed Jan 5 17:20:47 2000
    User (malware.com:(none)):
    331 Enter PASS command
    Password:
    230 Logged in
    ftp> get rom-0
    200 Port command okay
    150 Opening data connection for RETR rom-0
    226 File sent OK
    ftp: 16384 bytes received in 2.03Seconds 8.07Kbytes/sec.
    ftp>

    Due to our modem only being a replica, we are unable to determine
    whether uploading our custom crafted rom-0 file from our second
    replica modem to our first, will (a) register the user data from
    there to there inclusive of user name and password and or (b)
    overwrite the configuration file in such a way our modem then becomes
    useless.

    But without a doubt, we are not happy to see Grandpappy's private
    email address out in the open for the whole world to see.

    Notes:

    1. The provider suggests that slapping up a web page with
    instructions to disable this "feature" will be the solution. We would
    suggest fire-walling off the entire affected user base ftp, http and
    telnet ports, rolling out the trucks, physically reconfiguring each
    and every affected subscriber's modem or replacing them
    2. PRIVACY PRIVACY PRIVACY. In this day and age, it is all we have
    left !
    3. http://www.wired.com/news/infostructure/0,1377,57342,00.html
    4. Victims of this contact your provider asa possible and have them
    hand-hold you through disabling this "feature". Better yet, insist
    they send over the installer to do it for you. After all it should
    have been done at time of installation.

    End Call 

    --
http://www.malware.com

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

    Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com.  NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer.  Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo