Bugtraq mailing list archives
More BreezeCom fun...
From: Stefan Laudat <stefan () ASIT RO>
Date: Wed, 2 Aug 2000 02:54:53 +0300
I have only tested this on 4.4.1, it seems that 5.x does not have such bypass passwords anymore, if someone's really interested in 5.x, I might give it a deeper look.
actually a deeper look into the BreezeCom equipment can be done IMHO with a standard Motorola CPU32 BDM interface (like not-so-older motorola GSM phones, the pre ARM7TDMI models such as cd930 blah blah). This allows a 'live' breakpoint and memory analysis (like other CPU32 systems the flash is mapped contiguously with the RAM. I could not identify the debug port pinout (you may notice it on the PCB) but when I'll have the time I'll make a full report. I wonder if the passwords are kept uncrypted in the flash/ram, this could be some fun for soldering-skilled-kiddies (and of course this is a problem with other Motorola CPU32 controlled devices such as your house alarm or your password-protected laundry clean'o'matic :) This wasn't supposed to become public so soon... anyway smarties don't bother to announce the support because I already did it a month ago. There are other interesting things too... (tested with 4.4.x incl, they may not work with 5.x). - The 'private' SNMP community is r/w without any protection... so you may disable the ethernet port on access points, station adapters or wireless bridges. The recovery procedure is pretty nasty but thanks to the BreezeCom support team I could re-enable it. It is confirmed that is no longer working with 5.x but I'm afraid older hardware does not support it. Of course, there are many other things you can do with snmp and a BreezeCom. - The access to the TFTP server is unfiltered. If you don't protect your modems with some kind of ip filtering there are easy ways to tftp -i victim.modem.ip.address put erase erase then wait for a reboot - this means the flash has to be changed after that etc. A good idea would be something like file transfer acknowledge only from directly connected hosts but since the software does not support more than one arp association it is almost impossible, but who knows, maybe I'm wrong. The morale should be something like: do not use "routable" ip addresses and filter the snmp and tftp access. -- Stefan Laudat Data Networks Analyst ASIT SA unix soit qui mal y pense
Current thread:
- BreezeCOM passwords, revisited. Marc Esipovich (Aug 01)
- More BreezeCom fun... Stefan Laudat (Aug 01)