Re: [LoWNOISE] Password hunting with webramp

[sfaust () ISI-MTL COM (sfaust)]

you can also find them easly by running a http server version reply.
The incorporated web server inside M3 Webramp returns this as version reply

<wr_httpd/1.0.24April'9> without the <>.

I was aware about this problem for some time and the problem is very
dangerous.
IF you have more then  1modem attach to it you can simply diconnect the one
that is
not giving internet juice and make it call yourself and then you have acces
to the local net
and the internet on their accounts.

You can also change the routing table of the device and you can upgrade the
firmware
easly( or upload a trojan one ).

----- Original Message -----
From: ET LoWNOISE <et () CYBERSPACE ORG>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Tuesday, August 03, 1999 11:34 AM
Subject: [LoWNOISE] Password hunting with webramp

> Hi,
> Just to go deeper.
>
> Definition: (taken from www.webramp.com)
> What is a WebRamp?
>
>                         A WebRamp is a communications
>                         device that allows your whole office to
>                         share Internet access. You can choose
>                         from a variety of different models
>                         depending on your needs. While all
>                         WebRamps allow you to share Internet
>                         access, WebRamps can differ in the
>                         types of modems they use, as well as
>                         advanced features such as Access
>                         Controls, VPN support, and Remote
>                         Dial-in for telecommuters.
>
> Now my stuff..
>
> I have checked all the stuff about webramp on bugtraq and different
> security lists. The only thing i have found are about DoS stuff on the M3
> model but nothing more.
>
> Today i was searching for web servers on a ISP and got many responses from
> webramp servers. Some of them when you connect and ask you for
> authorization they already tell you whats the username to use (wradmin).
>
> The default username and password are: wradmin / trancell
>
> The other ones possibly bad configurated because there wasnt any login and
> password thing. Got me into their Setup Page.
>
> On M3 models theres a page http://webramp/avconnX.htm where X is the modem
> number 1,2,3.. there you can get the isp phone number they use, the
> username they use, and the password like this ******, easy to get with a
> sniffer or a password snooping program, OR READ THE FORM SOURCE CODE :).
>
> On 200i models just go to express internet and you will find the same
> stuff like M3. Why webramp put that info so free.. and why the passwords
> are there? i dont see any utility for webramp to send usernames and
> passwords to the clients that connect. it should be the other way.
>
>
> Three are many other models but im only talking about M3 and 200i because
> thats the ones i found.
>
> Well, and what to do with a phone number (ISP), a username and a password?
> (not one.. 3 aprox. 1 for each modem) use your imagination.
>
> bye,
>
> Efrain 'ET' Torres
> [LoWNOISE] Colombia
> et () cyberspace org
>
> pd/gracias aleph1.