Massive attack to Alcatel Speed Touch Home & Pro

From: Andrea Costantino (costan@comm2000.it)
Date: 08/05/01


Date: Sun, 5 Aug 2001 03:21:58 +0200 (CEST)
From: Andrea Costantino <costan@comm2000.it>
To: <bugtraq@securityfocus.com>
Subject: Massive attack to Alcatel Speed Touch Home & Pro
Message-ID: <Pine.LNX.4.32.0108050211500.9717-100000@uno.amg.it>


Hi world of coder,

it seems to be an attack in progress against all Alcatel ASDL modem/router
users.

Using the EXPERT mode vulnerability and the Shimomura's challenge/response
EXPERT mode password calculator, someone has upgraded the firmware of all
Alcatel modem in Italy I've notice of.

Many of my collegues, customer and friends (and obviously me too) have a
new release of their modem's firmware apparently without notice.
Nobody asked for and no ISP support did it at all!
I've asked my ISP customer hotline, and they were completely worried about
it!

It seems that a particular version is being installed by someone on the
Alcatel after a portscan to detect it.
I've recorded a large portscan against port 21 (the one used to upgrade
the new version) to ALL my public IP, and all IPs of my ISP.

It seems that the intruder scanned with a SYN/FIN portscan to detect the
Alcatel and after he/she put the new firmware version.

I don't know what the hell the new version does, but sometimes during the
upgrade the configuration is lost, so many people blame their ISP or the
telco company for service interruptions, but in truth their ADSL is
running flawlessy, while the modem has became unconfigured.

I suspect that the new version has some kind of backdoors, since the
EXPERT mode is disabled in telnet (while the debugging stuff still works
with the same challenge/response schema), but the normal user is allowed
to do ftp get (while it wasn't allowed to before, thanks Luca), and some
features seems to appear (the debugging stuff I reported before, td
menus).

My modem was upgraded apparently during the period between the 0:00 and
the 4:00 CET of the 3rd of August without loosing any configuration, so
I would't notice anything without a direct check using "software version"
on console or telnet access.

The offending version was:
KHDSAA3.264 with md5 6771623a99d774953d6469ba6f2ccacb

How to downgrade?
First of all, obtain a clean version, with or without Shimonmura's patch
(as you wish). I can't send it on a mailing list for copyright reasons
(really sorry!!!!!!),

The two official versions I saw BEFORE the attack were (trained by their
md5sums):

ae93eedcc6bee9d3c24ba6d0f809784e KHDSAA.134
or
5582c3922a2faae789674b6e0ced7e78 KHDSAA.132

Then put it by ftp on your modem. Just remember to put it (in binary mode,
issue bin command first of all) in the dl directory and exec "quote site gc"
just before the put command.
Now telnet or grab put your favourite console cable (if you have the Pro
version, of course) to your modem, then login (if needed..) and issue

=> software setpassive file = KHDSAA.13x

(put your own version, sub the x with 2 or 4 or whatever..)

=> software switch

the modem reboots
reconnect as fast as you can if you are connected by telnet..

=> software version
just to check if it's running the right version (check the active one!)

=> software deletepassive
delete the 264 one before the modem detects it and reboot with this (it
thinks that the 264 is newer, so it tries to run the latest one..).
if you are unable to delete the new one, try the more powerful console
access if you've a Pro version.

If you apply the patches, remember to disable EVERYTHING (apart from
telnet/ftp access, otherwise you won't be able to download any newer
release). No EXPERT access, no TFTP, no VPI 15 AAL5 TFTP/SNMP access =
less troubles in future.

Remember also that many other backdoors can still exist, since many people
running patched versions get their modem upgraded without notice..

Many thanks to Luca "Bluca" Berra and Michele "BaNzO" Zamboni for their
unvaluable help while thinking and patching everything!

Many "thanks" even to Alcatel people for providing backdoor'd sw and
avoiding public distribution of patches. I hope this incident will
convince them to be more "open" to coder/hacker community, since security
through obscurity is NOT a good way of life, as Windows teach.

Otherwise I wish them to live the hell of many many people calling them to
ask for patches.. :)

Baciamo le mani,
k0



Relevant Pages

  • OT: bit swapping, seamless rate adaptation
    ... I've been a Bell Canada DSL customer since August 1999. ... of their C.O. equipment is based upon Alcatel technology which can do ... The original Alcatel Speed Touch modem (looks like ...
    (comp.os.vms)
  • Re: ADSL connection dropping randomly
    ... BT struck a good deal that the Alcatel modems are basically ... I'm sure the modem does basically work. ... firewall instead of a router should be put up against the wall and shot. ... > and OP should also go to VIA website for possible driver patches that ...
    (comp.security.firewalls)
  • Re: ADSL connection dropping randomly
    ... BT struck a good deal that the Alcatel modems are basically ... I'm sure the modem does basically work. ... firewall instead of a router should be put up against the wall and shot. ... > and OP should also go to VIA website for possible driver patches that ...
    (comp.security.ssh)
  • Re: ADSL connection dropping randomly
    ... BT struck a good deal that the Alcatel modems are basically ... I'm sure the modem does basically work. ... firewall instead of a router should be put up against the wall and shot. ... > and OP should also go to VIA website for possible driver patches that ...
    (comp.security.misc)