Re: backdoor menu on conexant chipset dsl router (Zoom X3)

[duke_skillz () sapo pt]

Citando Adam Laurie <adam () algroup co uk>:

> i have just installed an adsl modem sold under the brand of Zoom X3
>
>    http://www.zoom.com/products/adsl_overview.html
>
> and was apalled to find that an nmap scan of the external address
> immediately came up with the following:
>
>    PORT    STATE SERVICE
>    23/tcp  open  telnet
>    80/tcp  open  http
>    254/tcp open  unknown
>    255/tcp open  unknown
>
> ports 23 and 80 give access to the configuration menu and html interface
> as would be expected, but, although you can control access to the html
> interface, there is no control over the telnet port other than password.
>
> worse still, telnetting to port 254 gives you access to another menu,
> which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
> 3.27", and uses the *DEFAULT* HTML management password, even if you have
> changed it to something else. i.e. changing the HTML password does not
> change this one. from this menu you can change DSL settings and issue a
> complete "Factory Reset". there is a menu option to change the password,
> but this does not appear to work.
>
> port 255 accepts connections, but I have not investigated further.
>
> at the minimum this carries a risk of a trivial DOS attack (factory
> reset and everthing stops working), and may actually have other more
> serious implications.
>
> i am disgusted that in this day and age products like this are still
> being shipped with such basic insecurities, and, accordingly, will not
> be wasting my time by looking into it any further, and will be taking
> the router back and exchanging it for something (hopefully) better
> thought out.
>
> to their credit, Zoom responded immediately with a workaround when i
> reported the problem, so they are clearly already aware. fyi, the
> workaround is to create dummy "Virtual Servers" on each of the ports
> that blackhole any incoming connections. this appears to work.
>
> connexant list several other high profile retail modem manufacturers and
> pc oems, so i leave it as an exercise for the reader to work out other
> manufacturer/vulnerability combinations.
>
>    http://www.conexant.com/support/md_supportlinks.html
>
> enjoy,
> Adam
> --
> Adam Laurie                   Tel: +44 (20) 8742 0755
> A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
> The Stores                    http://www.thebunker.net
> 2 Bath Road                   http://www.aldigital.co.uk
> London W4 1LT                 mailto:adam () algroup co uk
> UNITED KINGDOM                PGP key on keyservers
Someone please correct me if im wrong but i found reports of this issue that go
back to October 2003 ( http://www.securityfocus.com/bid/8765/ ) from reasearch
i found that the prob is in the Conexant CX82310-14 chipset with firmware
3.21...






O SAPO já está livre de vírus com a Panda Software, fique você também!
Clique em: http://antivirus.sapo.pt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html