13th Feb 2002 [SBWID-5097]
COMMAND
Alcatel 4400 poor configuration leads to remote root access
SYSTEMS AFFECTED
Tested : Alcatel 4400 ChorusOS
PROBLEM
Irib of the security bugware team [http://www.securitybugware.org] says
:
A little audit of an Alcatel 4400 pbx leads us to some interesting bugs
: default passwords, many root accesses, DoS, halt. If you have a well
configured one, some of them won\'t work. The one we tested is under
Alcatel support control, they should have the same \"don\'t change
anyting\" policy for most of their customers - you should have the same
bugs on yours. Note that our checks were done in a production
environement, without exploiting bugs.
0- Environnement
- - - - - - - - -
ALcatel 4400 runs real-time Chorus OS, now under SUN control. More
information can be found at http://www.sun.com/software/chorusos/
1- find the IP address of Alcatel 4400
- - - - - - - - - - - - - - - - - - - -
Alcatel 4400 can be managed through serial port, or through LAN. In
case of LAN, 4400 is listening on port 2533.
After some sniffing, we show that every TCP packets contains in data
field the size of transmitted datas. For example, to initiate a
connexion, first data packet (after SYN, SYN-ACK, ACK) contains
\\x00\\x01\\x43 \\x43 is the data, \\x00\\x01 is the size - 1 char.
Every other data in first data packet will lead to a FIN-ACK reply,
closing the connexion.
To check for a running 4400 on your LAN, just scan your network for
port 2533 open, then send \\x00\\x01\\x43 and wait for \\x00\\x01
Use nmap to scan for port 2533 open, and this little script to send
\\x00\\x01\\x43 and wait for \\x00\\x01 :
8<------------ alcatel.pl
#!/usr/bin/perl
# Checks for Alcatel 4400, sending TCP data on port 2533
# looking for specific reply
# irib@securitybugware.org
use Getopt::Std;
use IO::Socket;
print(\"ALCATEL 4400 checker.\\n\");
getopts(\'s:\', \\%args);
if(!defined($args{s})){&usage;}
$data = \"\\x43\";
$size = \"\\x00\\x01\";
$serv = $args{s};
$port = 2533;
$buf = $size . $data;
if($socket = new IO::Socket::INET(PeerAddr => \"$serv:$port\", Timeout => 1)){
print $socket \"$buf\";
read($socket,$chunk,2);
if($chunk & \"\\x00\\x01\"){
print \"$serv may be an Alcatel 4400\\n\";
}else{
print \"$serv doesn\'t look like an Alcatel 4400\\n\";
}
}else{
print \"$serv is not an Alcatel 4400\\n\";
}
sub usage {die(\"\\nUsage: $0 -s <server>\\n\\n\");}
8<------------
2- Connect to Alcatel 4400
- - - - - - - - - - - - - -
Here is the default /etc/password file
root:.Zn2PprVBQWI2:0:1:0000-Admin(0000):/:/chbin/sh
halt:xY3mcbaFNyp0k:0:1:0000-Admin(0000):/usr/halt:/chbin/sh
daemon:*:1:1:0000-Admin(0000):/:
bin:*:2:2:0000-Admin(0000):/bin:
sys:*:3:3:0000-Admin(0000):/usr:
adm:*:4:4:0000-Admin(0000):/usr/adm:
sync::67:1:0000-Admin(0000):/:/bin/sync
install:yYV3uyxkFX8bc:101:1:Initial Login:/usr/install:/chbin/sh
kermit:zYBmh/woCrN6E:102:1:kermit:/usr/kermit:/chbin/sh
swinst::0:1:installation-account:/usr/swinst:/chbin/sh
mtch:aUi5.tLxc7zRc:2010:20:mtch:/DHS3bin/mtch:/chbin/ksh
mtcl:bUAp.LcUa4SIo:2011:20:mtcl:/DHS3bin/mtcl:/chbin/ksh
dhs3pms:cUlGakVr1CAkE:2013:20:dhs3pms:/DHS3bin/dhs3pms:/chbin/sh
adfexc:dUHpLtTswZu/Q:2015:20:adfexc:/DHS3bin/adfexc:/chbin/sh
pcmao::2012:20:pcmao:/DHS3bin/mao:/chbin/sh
nmcmao:gUvHzOAi7wETE:2016:20:nmcmao:/DHS3bin/nmcmao:/chbin/sh
client:hUlAPfM7t4Nbo:2017:20:client:/DHS3bin/client:/chbin/sh
dhs3mt:iULmen4O5ZC9.:2018:20:dhs3mt:/DHS3bin/dhs3mt:/chbin/sh
at4400:jU5vsXHRG1lQc:2019:1:at4400:/DHS3bin/at4400:/chbin/sh
mntple:kUKXnTJ4.VGrI:2000:1:Sun-network-installation:/DHS3bin/mntple:/chbin/sh
And some decrypted passwords
llatsni (install)
tlah (halt)
dhs3pms (dhs3pms)
adfexc (adfexc)
client (client)
kermit (kermit)
dhs3mt (dhs3mt)
at4400 (at4400)
mtch (mtch)
mtcl (mtcl)
letacla (root)
Warning : most accounts have a .profile, executing particular commands
so don\'t log in without knowing what you are doing.
- ~halt/.profile shuts down 4400,
- ~swinst/.profile launch utility to install 4400 from scratch
etc...
mtcl doesn\'t run anything dangerous, so you can use this one if you
need to telnet the box (it\'s the one given by Alcatel suppport if you
need local management)
User adfexc is used by management client to retrieve version from
server using FTP, it should have always the same password, just be
careful because it executes some stuff in .profile...
3- How to be root, when root password has been changed ?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Fortunately, FTP is open :
nmap returns following
Port State Service
21/tcp open ftp
23/tcp open telnet
513/tcp open login
514/tcp open shell
2533/tcp open unknown
2535/tcp open unknown
2536/tcp open unknown
2539/tcp open unknown
2540/tcp open unknown
2554/tcp open unknown
2555/tcp open unknown
TCP Sequence Prediction: Class=64K rule
Difficulty=1 (Trivial joke)
to log in as root, just ftp as halt user, rename .profile, and telnet
the box... your UID is... O !
4- Halt the Alcatel 4400
- - - - - - - - - - - - -
You don\'t need to log in with halt user, nor to log in as root. Just
log in, and execute /chetc/shutdown...
(1)a4400a> ls -l /chetc/shutdown
-r-sr-sr-x 1 root other 6120 Jul 6 1998 /chetc/shutdown
All \"other\" group member are allowed to shutdown the 4400 (see the
setuid bit) \"other\" group member are : install kermit swinst mntple
at4400 root halt sync
5- Bad file permissions
- - - - - - - - - - - - -
Lot of directories containing sensible data are world wide writable, or
group writable. There are two groups easily usable : tel (20) and other
(1).
other members : install kermit swinst mntple at4400 root halt sync tel
members : mtcl, mtch, client, dhs3pms adfexc pcmao dhs3mt
Here are some example of writable directories or suid executables...
The easiest way for tel members to access root :
> ls -l /chbin/pre_login
42 -rwsrwxr-x 1 root tel 20096 Oct 9 1998 pre_login
Any tel group members can overwrite /chbin/pre_login, and execute
commands as root...
Overwritable configuration files
/chetc/menus world wide writable
=> netinstall.def & netinstall.bat overwritable
/chetc/msg world wide writable
=> GEA_NET overwritable
/chetc/lck world wide writable
/etc/bootptab ==> world wide writable (config bootp server)
/etc/mnttab ==> world wide writable
Misc world wide writable files & directories
/etc/misc world wide writable
/fs world wide writable
/mnt world wide writable
/usr2/ world wide writable
/usr/ctsrv world wide writable
/usr/preserve world wide writable
/usr/tmp world wide writable
/usr2/soft_install world wide writable
/usr3/mao contains database files (with phone configurations), all are
at least group writable, allowing bad boys to scramble phones...
All users .profile are overwritable
/usr2/ adfexc afe dhs3mt dhs3pms mao nmcmao ==> group tel writable
/usr2/ PKG at4400 client mntple mtch mtcl ==> group other writable
As userdirs are writable to other group members, .profile are
overwritable by other group members.
/usr4/account looks like accounting file directory, all are world wide
overwritable...
5- Other bugs & exploits ?
- - - - - - - - - - - - - -
Here are not tested things, possibly buggy and exploitable...
- FTP glob() vulnerability has not been tested
- various rsh and login vulnerabilities have to be tested
- Management client should be tested against /DHS3bin/descript/deliv_id
and /DHS3bin/descript/patch_id unusual format (files retrieved through
ftp when connecting with management client)
- Explore network communication between management client and server, sending
periodically \"\\x00\\x08TEST_REQ\" (note that \\x00\\x08 is the size of string
\"TEST_REQ\"), waiting for \"TEST_RSP\"
- How to escape from .profile executed when login as swinst (without passwd,
UID=0)
SOLUTION
Put your Alcatel 4400 behind a firewall, and allow only connexion
between your pbxs (if you have more than one, linked) and from your
management station.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
