Bugtraq mailing list archives
FW: Kewlhair Security Advisory --DSL ROUTERS
From: wasted () KEWLHAIR COM (Wasted Rock Ranger)
Date: Mon, 20 Mar 2000 02:44:27 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Well, After talking to SBC (including the CIO's gimp and the head of security and a few of the people who run the ISP side). They have no plans to upgrade the end users to Cisco do to price. The Alcatel/Cayman is clearly cheaper. I am swbell customer and I was told that they would not upgrade me to a Cisco and that I am stuck with the Alcatel that I have now. However Pactel is install Cisco routers/DSL briges, the Cisco 14xx that they are deployed currently have telnet enable on them. The user name and password are all set to PASSWORD on them, unless the customer changes it. Pactel nor any other Bell (that is owned by SBC) is telling the customer about the password or how to change it. Andyz Thanks for the input - -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Bret Piatt Sent: Monday, March 13, 2000 9:48 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: Kewlhair Security Advisory --DSL ROUTERS You might want to do some further testing as I've found I'm able to <A HREF="http://router.ip.address/<protected">http://router.ip.address/<protected</A> url> without authenticating. It seems some of the <protected url> don't check to see if you are authenticated it just assumes you won't know the <protected url> path if you aren't and the only way it assumes to get there is through the menus that will require authentication. I've recommended to all my customers to go with a Cisco 1417 that you can swap out for both the modem (in non-pppoe mode) and router that SBC is installing. SBC is also looking at moving to the Cisco products or offering them as an alternative so when you look to get your DSL in the first place ask if they've made them available. Bret Piatt - bpiatt () flash net/dknight () csuchico edu Systems Engineer [CCNA/CCDA/MCP] PacifiCom - (530) 342-8999 - ----- Original Message ----- From: "Andrew R. Siverly" <asiverly () KEWLHAIR COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Saturday, March 11, 2000 2:14 AM Subject: Kewlhair Security Advisory --DSL ROUTERS - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kewlhair Security Advisory Advisory Name: Router Passwords Advisory Released: 03/09/00 Severity: Moderate Summary: An attacker can seize control of an SBC customer's router. Overview: SBC is currently deploying the Cayman-DSL router to its DSL customer's.(SBC communications being the parent company for Southwestern Bell, Ameritech, Pacific Bell, Nevada Bell, Cellular One, and a few more.) With this deployment SBC is neglecting to set passwords on the router. Kewlhair has found over 300 of these non-pass worded routers. Description: Telco engineers often fail to set passwords on DSL modems installed at Customer sites. The vulnerability affects many different DSL modems. The Cayman product is especially vulnerable because it defaults to having no Password at all. As the Telco's does often not educate the customers, their modems are left vulnerable to intrusion and denial of service events. Vulnerability: An individual with malicious intent could easy scan for these devices on a DSL providers network, connect to them, and disable them without significant effort. In addition, an intruder could disable access to the device itself by installing a password (which only they would know). A significant vulnerability is that these devices often can be set with Static routing tables so packets could be sent through an environment where a malicious third party could monitor the traffic. The Demo: [ user@xxxx /user]# telnet xxx.xxx.xxx..xxx.. Trying xxx.xxx.xxx.xxx... Connected to xxx.xxx.xxx.xxx. Escape character is '^]'. Terminal shell v1.0 Cayman-DSL Model 3220-H, DMT-ADSL (Alcatel) plus 4-port hub Running GatorSurf version 5.3.0 (build R2) ( completed login: administrator level) Cayman-DSLXXXXXX> Worse Case: Someone writes a script that logs into every one of these routers sets the passwords, then changes the ip or kills the interface so it no longer works properly. Then causing and SBC engineer to come to the home or place of business to fix this problem. (I bet that would cost some bucks) Solutions: Mandate that the Telco engineers change the default passwords on the devices at time of install, and provide literature to the consumer advising them of the risks of DSL (or cable) connections to the Internet. Quick solution: Set your password on your Cayman router. http://cayman.com/security.html#passwordprotect How do I password protect the Cayman router? Through the browser: 1. Browse into the Cayman router. 2. Click on the " Expert Mode" link. 3. A second of row of links will appear. 4. Then select the " Passwords" link. Through a Telnet session: 1. First establish a telnet session to the unit or connect serially to the console port at 9600 Baud. 2. At the prompt, type " configure" ( NOTE-all commands are typed without quotes) and enter. 3. At this point you will be at the " top" prompt. Then type " system" and enter. 4. Now you will be at the " system" prompt. Here you type," set password" admin and enter. 5. You will then be prompted for the new password and then be prompted to repeat the password. Once you have done this, you will be back at the system prompt. 6. Here you will need to repeat the process, this time for the user password, by doing the following steps: 7. Type, " set password user" and enter. Again you will then be prompted for the new password an then be prompted to repeat the password. Once this is done, you will be at the " system" prompt again. Here type," quit" , and you will be prompted, " Save modified configuration data [y|n] ?" Type, " yes" and the router is now password protected. NOTE- We recommend that the admin and user password be the same to avoid confusion. This approach allows only the admin password to view or change the settings. asiverly () kewlhair com - -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOMocidWnZBJ9XvE4EQIJ5wCfQZbWrjWmYjTEUQnQuJm/bLxzWQ4AoOXc wu8j6oSBtpTctoTinUPMz4Nm =VN0W - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBONXkzNWnZBJ9XvE4EQIiHQCcCBNqMBw4osxnsPWXm/i+G3l/DWsAn3mY EEeNh7cTzisB5eQTs35vug9p =8WKP -----END PGP SIGNATURE-----
Current thread:
- Kewlhair Security Advisory --DSL ROUTERS Andrew R. Siverly (Mar 11)
- Re: Kewlhair Security Advisory --DSL ROUTERS Bret Piatt (Mar 13)
- <Possible follow-ups>
- FW: Kewlhair Security Advisory --DSL ROUTERS Wasted Rock Ranger (Mar 20)