Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Samsung ADSL Modem Vulnerability

From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Thu, 24 Mar 2005 12:19:29 -0800
for clarity..  all items are available via WAN by default

updated Advisory at 
http://exploitlabs.com/files/advisories/EXPL-A-2005-002-samsung-adsl.txt

----- Original Message ----- 
From: "Morning Wood" <se_cur_ity () hotmail com>
To: <full-disclosure () lists grok org uk>
Sent: Monday, March 21, 2005 12:51 PM
Subject: [Full-disclosure] Samsung ADSL Modem Vulnerability



------------------------------------------------------------
     - EXPL-A-2005-002 exploitlabs.com Advisory 031 -
------------------------------------------------------------
                       - Samsung ADSL Modem -






AFFECTED PRODUCTS
=================
Samsung ADSL Modem

Samsung Eletronics
http://www.samsung.com


DETAILS
=======
1. Arbitrary reading of files
2. Default root password
3. root file system access


Known issues exist in Boa httpd as per:
FreeBSD-SA-00:60 Security Advisory

http://www.securiteam.com/unixfocus/6G0081P0AI.html and
http://lists.insecure.org/lists/bugtraq/2000/Oct/0445.html

note:
 This is a hardware based product with built in httpd for
 remote access, this is a seperate issue than the ones
 formaly presented above, but carry the same implications.


Identification:

HTTP/1.0 400 Bad Request
Date: Sat, 03 Jan 1970 17:57:18 GMT
Server: Boa/0.93.15
Connection: close
Content-Type: text/html

Modem vendor Samsung Electronics (co) modem 
co chipset vendor b500545354430002 
cpe chipset vendor Samsung Electronics (co) cpe chipset 
software version  SMDK8947v1.2 Jul 11 2003 10:00:01 
ADSL DMT version a-110.030620-10130710


Samsung ADSL modems run uClinux OS
http://www.uclinux.com

note:
Depending on the implimentation, other products
using a combination of Boa / uClinux may be
affected as well.  


Item 1
=====
http://[someSamsung.ip]/etc/passwd
http://[someSamsung.ip]/etc/hosts
http://[someSamsung.ip]/bin/
http://[someSamsung.ip]/dev/
http://[someSamsung.ip]/lib/
http://[someSamsung.ip]/tmp/

http://[someSamsung.ip]/var/ppp/chap-secrets

http://[someSamsung.ip]/bin/sh

Any remote user may request any file present
in the router/modem OS file system.
Files can be fetched unauthenticated via a
GET request in a browser.


Item 2
=====
Default user login / passwords exist in both
httpd ( http://[host]/cgi-bin/adsl.cgi) and telnet ports

root/root
admin/admin
user/user


Item 3
======
By telneting to the device and loging in as
root/root, remote users my access the filesystem.
The modem provides 256mb of ram for OS and
file system operations. In this implimentation
there is aprox 120mb free file system space
which allows for the posibility for remote
attackers to use the file system for malicious
communication and file storage. This allows
many scenarios such as a storing worm and/or
viral code.

#echo "some bad data" >file



SOLUTION:
=========
none to date

Samsung has been contacted
No patch released



Credits
=======
This vulnerability was discovered and researched by 
Donnie Werner of exploitlabs

Donnie Werner

mail: morning_wood () zone-h org
-- 
web: http://exploitlabs.com
web: http://zone-h.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: