Re: SPRINT ADSL [Zyxel 645 Series Modem]
From: http-equiv@excite.com
Date: 02/11/03
- Previous message: Thor Larholm: "Epic Games threatens to sue security researchers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <bugtraq@securityfocus.com> Date: Tue, 11 Feb 2003 17:30:10 -0000 From: "http-equiv@excite.com" <http-equiv@malware.com>
FX <fx@phenoelit.de> said:
> > ftp> open malware.com
> > Connected to malware.com.
> > 220 Sprint FTP version 1.0 ready at Wed Jan 5 17:20:47 2000
> > User (malware.com:(none)):
> > 331 Enter PASS command
> > Password:
> > 230 Logged in
> > ftp> get rom-0
>
> I'm not sure if this applies to the Zyxel boxes you found, but
there is another
> file called spt.dat, which contains all password and account
information. More
> details can be found here:
http://www.DarkLab.org/archive/msg00144.html
>
> FX
Yes FX you are correct. After a good swift kick in the nuts, Sprint
has done and is still doing an admirable job in fixing this.
Sufficient time has elapsed to advise this.
The only additional note is to strongly suggest that the users change
their master account password as well:
<!--
Friday, January 24, 2003
Ladies and Gentlemen:
Reference the information provided to you on Monday and Tuesday of
this week and subsequent announcements on Thursday this week:
http://www.wired.com/news/infostructure/0,1377,57342,00.html
http://www.securityfocusonline.com/archive/1/307793/2003-01-22/2003-
01-28/0
This message serves to inform you that your entire user base is open
to full and complete remote compromise through this modem.
This includes full access to:
1. the internet via adsl and dialup connection
2. pop3 email retrieval
3. webmail
4. web based user account management including user name and address
and billing details
The problem lies in the fact that the modem you have provided to your
user base is installed with a commonly known default login and
password. Once access has been gained to this modem, it is trivially
possible to retrieve a storage file contained within the modem which
includes the user's name and password.
With this information it is possible to access all aspects of the
user account as described above.
Example:
00000020: 1234
00000042: malst
00000060: Sprint
00000082: mal Ware
000000AC: public
000000CC: public
000000EC: public
00001086: dhcppc
00001C54: MyISP
00001DDE: grandpamalware
00001DEB: malware.
00001DFE: ware
00002112: mal
0x20 the root password in clear
0x40 SNMP Location
0x60 Device name
0x80 SNMP Sys Contact
0xac SNMP read community
0xcc SNMP read community
0xec SNMP read community
0x188 SUA Server IP address
0x1c54 First PPPoE Account config name (Default: ChangeMe)
0x1dde First PPPoe Username
0x1dfe First PPPoe Password
0x21dc Second PPPeE Account config name
Where username: grandpamalware@malware.com and pass: ware inputted
into a dialup connection with specific access number, will function,
where inputted into a pop3 mail client with corresponding pop3
server, will retrieve mail accordingly, where inputted into a web
based mail access, will allow for access and where access to
myaccount information is required, will allow for authentication and
login.
In other words, the single user id and email address along with the
single pass all contained within the file on the modem will allow
access to everything!
The file on the modem is a small dat file called spt.dat therein, in
clear text, lies all this information.
This information is already in the public domain and you need to
urgently fire-wall your user base ports http, telnet, and ftp while
you solve this problem. You must assume that malicious parties are
well-aware
of and are probably exploiting it right now.
Today is Friday. Nothing has been done about this to date. Your
entire user base is at risk.
We expect some sort of substantial action by Tuesday latest. Failing
that, we will discuss this in technical depth on all relevant
security lists.
End Call
cc:
Wired
@pc-radio.com
Symantec
@securityfocus.com
CERT
@cert.org
Earthlink
@corp.earthlink.net
abuse@earthlink.net
security@corp.earthlink
Sprint
@mail.sprint.com
noc@sprint.net
abuse@sprint.net
security@sprint.net
-- http://www.malware.com --> Date: Tue, 28 Jan 2003 17:01:25 -0500 <!-- Sprint is working closely with its DSL modem manufacturer to ensure the security and integrity of its Sprint-provided DSL equipment. Sprint is dedicated to providing its customers a secure broadband Internet network, and to that end, recently identified an additional layer of security that can help protect customers' DSL modems.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> The company began notifying its customers - one-by-one - in a very targeted initiative to provide guidance on ensuring their DSL service is reliable and secure. We are consulting with our customers and walking them through the relatively simple steps to ensure an additional layer of security on their modem. Proactively, we are reaching out to our customers in three different ways - outbound telephone calls, e-mail messages and a customer letter mailed today (Jan. 28). These communications are directed at helping ensure the safety and security of customers' DSL modems. Additionally, we are informing all DSL customers who call our technical assistance group of the procedures for securing their modem. Sprint is committed to providing safe, reliable and secure voice and data services to all its customers. When an event occurs that threatens that safety, reliability and security, we take it very seriously and we will continue to do everything we can to contact our customers. Director-Customer Operations --> Notes: users can address the issue here: http://csb.sprint.com/home/local/dslhelp/release645m.html -- http://www.malware.com
- Next message: Ronald F. Guilmette: "Security bug in CGI::Lite::escape_dangerous_chars() function"
- Previous message: Thor Larholm: "Epic Games threatens to sue security researchers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
