Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

More BreezeCom fun...

From: Stefan Laudat <stefan () ASIT RO>
Date: Wed, 2 Aug 2000 02:54:53 +0300
 I have only tested this on 4.4.1, it seems that 5.x does not have such
bypass passwords anymore, if someone's really interested in 5.x,
I might give it a deeper look.


actually a deeper look into the BreezeCom equipment can be done IMHO with a standard Motorola CPU32 BDM
interface (like not-so-older motorola GSM phones, the pre ARM7TDMI models such as cd930 blah blah).
This allows a 'live' breakpoint and memory analysis (like other CPU32 systems the flash is
mapped contiguously with the RAM. I could not identify the debug port pinout (you may notice it on the PCB)
but when I'll have the time I'll make a full report. I wonder if the passwords are kept uncrypted in the
flash/ram, this could be some fun for soldering-skilled-kiddies (and of course this is a problem
with other Motorola CPU32 controlled devices such as your house alarm or your password-protected laundry
clean'o'matic :)

This wasn't supposed to become public so soon... anyway smarties don't bother to announce the support
because I already did it a month ago.

There are other interesting things too... (tested with 4.4.x incl, they may not work with
5.x).

- The 'private' SNMP community is r/w without any protection... so you may disable the ethernet port on
access points, station adapters or wireless bridges. The recovery procedure is pretty nasty but thanks
to the BreezeCom support team I could re-enable it. It is confirmed that is no longer working with 5.x
but I'm afraid older hardware does not support it. Of course, there are many other things you can
do with snmp and a BreezeCom.

- The access to the TFTP server is unfiltered. If you don't protect your modems with some kind of
ip filtering there are easy ways to tftp -i victim.modem.ip.address put erase erase then
wait for a reboot - this means the flash has to be changed after that etc. A good idea would be
something like file transfer acknowledge only from directly connected hosts but since the software
does not support more than one arp association it is almost impossible, but who knows, maybe I'm wrong.

The morale should be something like: do not use "routable" ip addresses and filter the snmp and tftp access.

--

Stefan Laudat
Data Networks Analyst
ASIT SA

unix soit qui mal y pense
Previous By Date Next
Previous By Thread Next

Current thread: