![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
Date: Wed, 11 Apr 2001 12:50:05 +0200 From: Stefano Chiccarelli <s.chiccarelli@NEWTEL.IT> Subject: R: multiple vulnerabilities in Alcatel Speed Touch DSL modems To: BUGTRAQ@SECURITYFOCUS.COM > This advisory addresses the Speed Touch family of devices, and similar > devices apparently based on related code such as the older Alcatel > 1000 ADSL Network Termination device (1000 ADSL). All testing was > performed on the "Speed Touch Home", and limited testing was performed > on the 1000 ADSL. It is strongly suspected that the "Speed Touch Pro" > software is at least very similar to that in the Speed Touch Home, so > it is probable that the Pro is vulnerable to similar attacks. Other > members of the family running software derived from the same code base > would also be expected to share these vulnerabilities. First of all, I can confirm that even the Speed Touch Pro router is affected by the same problem. I even found that the speed touch PRO router bundled with the NetEcomomy ADSL group/multigroup offered by Telecom Italia, that work in CIP (Classical IP) mode (so with a PUBLIC IP) is subject to remote attacke if firewalling off/on configuration has been disabled on the ATM interface This feature can be disabled from the CLI interface, telnetting on the router with the command "ipconfig firewalling off". At this point, the TFTP without authentication can be used by a remote attacker straight on the TCP/IP protocol (i.e. there is no need to be "located" on the ATU-C) tftp -i ip GET active/system.ini wth this command, an attacker can "fetch" the password stored inside this file (in a non encrypted form) This is an "add-on" to the backdoor discovered by Tom Perrine e Tsutomu Shimomura. Please remark that a lot of people may have disabled this feature to be allowed to remote admin jobs, pinging and so on, Furhter more, the PRO firmware called build134.134 is the same than HOME, called KHDSAA.134 I tried - succesfully - to run the build134.134 on an HOME and all worked fine. Just CIP PPP and NAT features implemented on the PRO model don't are "enabled" by the home (I suspect for hardware reasons that I'm sill investingating) --------------------------------------------- Stefano "NeURo" Chiccarelli Metro Olografix Association neuro@olografix.org) Chief security officer for: - Studio Legale Monti - Nuova Newtel s.r.l. 65126(PESCARA,Italy) Tel: 39+085 44825267 fax: 39+085 44825280 --------------------------------------------