Full Disclosure mailing list archives

Re: security hole on local ISP

From: Lee <ler762 () gmail com>
Date: Tue, 29 Dec 2009 13:21:09 -0500

On Tue, Dec 29, 2009 at 12:08 PM, T Biehn <tbiehn () gmail com> wrote:

This is a hiroshima versus 'harmless' mountain demonstration debate,
Lee. Because the post includes the raw data including ports, passwords
and ranges one must assume



no, I don't >have< to make that assumption

that "Cilia Pretel Gallo" was appealing to
the lowest common denominator, to a group of individuals where
checking NRO whois db for ETB's netblocks would not be an obvious
first step.


Just because you or I wouldn't have made a full disclosure of the problem it
doesn't necessarily follow that "Cilia Pretel Gallo" was appealing to the
lowest common denominator.

The few times I've found something that I considered a security issue & the
vendor didn't agree, a "So you're OK with me posting the details to Full
Disclosure then?" was enough to get them to reconsider.  I doubt the OP
tried that tactic with ETB..  but it seems to me the real problem is with
ETB leaving this [alleged - I haven't bothered to check] security hole wide
open.

Regards,
Lee


Ahem.

-Travis

On Tue, Dec 29, 2009 at 11:36 AM, Lee <ler762 () gmail com> wrote:

On Tue, Dec 29, 2009 at 10:23 AM, T Biehn <tbiehn () gmail com> wrote:


This is an orgiastic dump of information, you must really hate ETB; or
you must be really excited for lulz.


or you're hoping that full disclosure will get ETB to fix the problem.

Regard,
Lee


-Travis

On Tue, Dec 29, 2009 at 5:23 AM, Cilia Pretel Gallo
<cpretelgallo () yahoo com> wrote:

I've recently discovered a security hole on the modems (which double

as

routers) used by a Colombian ISP - ETB.

It so happens that all incoming connections to an IP address on said

ISP

on port 23 or port 80 land on the modem instead of the computer(s)

connected

to it. Even if one tries to redirect those ports to a local machine,

the

modem still gets all the connections on those ports.
Also, connections on ports 23 and 80, from any IP address, will access
the modem configuration options. Last year that could be done only

from

private IP addresses (i.e. 192.168.0/24), but now it can be done, as I

said,

from anywhere. I've been told that a few lucky users were able to

forward

port 80, but in that case, it's port 8080 that is intercepted by the

modem.

The end result is that anyone, from anywhere, can access the modem of
anyone on ETB to mess up their configuration (e.g. obtaining and

changing

the client's username and password, permanently disconnecting them

from the

internet, and so on) - that is, if they have the administration

password.

Unfortunately, ETB uses the same login/password on all of their modems

since

2006, which are publicly available on the web.
Login: Administrator
Password: soporteETB2006

The whole IP range 190.24/14 corresponds to ETB clients. Any IP on

that

range where ports 80 and 23 are open is most likely a wide open ETB

modem.


Apparently, this issue has been repeatedly reported to ETB, but it
always falls on deaf ears. They seem to think this is no big deal

since

nobody knows the username and password for the modems - which is not

the

case, and even if it were, they would be easily crackable by brute

force.


Peace,

-Cilia

 ____________________________________________________________________________________

¡Obtén la mejor experiencia en la web!
Descarga gratis el nuevo Internet Explorer 8.
http://downloads.yahoo.com/ieak8/?l=e1

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C

http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on

http://pastebin.com/f6fd606da

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




--
FD1D E574 6CAB 2FAF 2921  F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

security hole on local ISP Cilia Pretel Gallo (Dec 29)
- Re: security hole on local ISP T Biehn (Dec 29)
  - Re: security hole on local ISP Lee (Dec 29)
    - Re: security hole on local ISP T Biehn (Dec 29)
    - Re: security hole on local ISP McGhee, Eddie (Dec 29)
    - Re: security hole on local ISP Lee (Dec 29)
- Re: security hole on local ISP Valdis . Kletnieks (Dec 29)
- <Possible follow-ups>
- Re: security hole on local ISP Cilia Pretel Gallo (Dec 30)