Further problems with Arescom NetDSL-800 MSN Firmware version 5.4.x and up

From: Justin Cervero (Scorpion_1169@msn.com)
Date: 10/29/02


Date: 29 Oct 2002 14:16:46 -0000
From: Justin Cervero <Scorpion_1169@msn.com>
To: bugtraq@securityfocus.com


('binary' encoding is not supported, stored as-is)

BACKGROUND

The Arescom NetDSL-800 router is the current choice for MSNís DSL service
as well as several other large DSL providers. Previous issues regarding a
telnet DoS and an authentication vulnerability have been addressed through
firmware updates. The authentication vulnerability was solved by adding a
username and password to prevent unauthorized access.

In the case of MSN, the modem/router is shipped with preconfigured
settings, including a unique username and password that differs from the
DSL account name and password. These are meant to be unknown to the user.
The newest firmware (v5.5.11) also limits access to the configuration area
to WAN traffic only.

THE PROBLEM

This issue pertains specifically to the latest version of the MSN
provided/required firmware. Each ISP provides a different version and
others may or may not be affected.

Utilizing a packet sniffer and the NetDSL Remote Manager provided by
Arescom, a remote user may obtain the modemís username and password and
gain access to the configuration menus.

THE VULNERABILITY

Given access to the username and password similar vulnerabilities that
existed with a previously known issue again presents itself. It is
possible to completely disable the modem and prevent further access to the
configuration menus, essentially making the modem completely
inaccessible. Further analyses of the packets generated during access and
manipulation of the configuration could lead to an executable or script
that could transmit configuration packets that would disable every modem
it encountered. If a malicious user were to disable a large enough number
of the modems at once while also removing the ability to reactivate them,
even an ISP with the resources of MSN would not be able to handle the
volume of tech support calls and service requests that would be generated.

THE SOLUTION

The one known solution is not recommended due to the fact that while it
will prevent a malicious user from accessing the configuration menus, it
will also prevent an authorized user from accessing them as well. The
configuration menus are accessed through port 9833. By forcing the modem
to forward all 9833 requests to an unused local IP address access to the
configuration screen can be removed. However, due to the fact that the
latest version of the firmware effectively ignores local requests to 9833,
the user becomes completely locked out of the configuration menus.

Earlier firmware versions had an option that allowed local traffic to
access the configuration. It has been suggested that downgrading to the
older versions of the firmware and then implementing the above solution
would be the best compromise. There are five previous versions of the
firmware available. Unfortunately, while the configuration menus provide
a tool for upgrading the firmware, for unknown reasons the modem does not
accept previous versions.

Long term solutions to be implemented in firmware should involve the
removal of remote configuration access. Allowing only local access would
be much more secure while still allowing easy and robust configuration.

Submitted to the best of my ability,
Justin Cervero

A large amount of credit to JacobNero on the DSLReports.com forums for
research and insight into this issue.