Hi,
I've found a few problems with the way DSL modems by a vendor Bharti and provided by Airtel (an Indian ISP) are setup. I've been talking
with Airtel on this over the past couple of months to try to get them to close the vulnerability. They feel that they have addressed the issue appropriately. Please find the details of the vulnerability below in the forwarded emails. The vulnerability can be verified by trying a telnet on any random Airtel IP (say 122.167.xx.xx).
Cheers,
Shishir
---------- Forwarded message ----------
From: Shishir Birmiwal <shr@birmiwal.net>
===============================================================
Scientific Atlanta DPC2100 Cable Modem
Cross-Site Request Forgery and Insufficient Authentication
May 24, 2010
CVE-2010-2025, CVE-2010-2026
===============================================================
==Description==
Scientific Atlanta, a Cisco company (www.cisco.com), produces the WebSTAR line
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Virtual Private Dial-up Network
Denial of Service Vulnerability
Advisory ID: cisco-sa-20080326-pptp
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
##
##
## INTRODUCTION:
##
## I recently bought this router for my local
## network (without modem integrated), now I can tell
## that it was a bad choice. When my ISP disconnects
## me from internet, in the most case I have to reboot
## my Modem and the Router in order to reconnect.
## So I coded a program (which send http packets) to reboot
## my router, it asks me the router password, and reboots it.
Topic: Airspan ProST Modem Management Authentication Bypass Vulnerability
Announced: 2008-03-13
Product: Airspan ProST Antenna
Vendor: http://www.airspan.com/
Impact: Remote shell access
Affected product: Airspan ProST with firmware < 6.5.40.0, Hardware rev < 4.1
Credits: Francis Lacoste-Cordeau
I. BACKGROUND
* March 26th bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
=========================
WBR-3460A comes with firmware version 1.00.06 installed, this happens to be the only available version that is not affected by the vulnerability described below, however it lacks of WPA2-PSK support and also of external/internal port mapping in Virtual servers configuration page, amongst other things.
II Background:
==============
The Level-One WBR-3460A is an ADSL2/2+ Modem/Wireless Router which runs Linux BusyBox v0.61.pre on a 32-bit RISC 4KEc V4.8 processor at 211 BogoMIPS, it incorporates 14 MB of RAM and four 10/100 Ethernet ports.
III Description:
================
Performing an nmap scan on the internal address I came up with the following:
* March 26th bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
Debian-specific: no
CVE Id(s) : CVE-2008-2378
Debian Bug : 504182
Steve Kemp discovered that hf, an amateur-radio protocol suite using
a soundcard as a modem, insecurely tried to execute an external command
which could lead to the elevation of privileges for local users.
For the stable distribution (etch), this problem has been fixed in version
0.7.3-4etch1.
* March 26th bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
Set the "Serial device" to "/dev/ttyS0" (COM1 - or whatever your
router is connected to on your PC)
Set "Bps/Par/Bits" to "9600 8N1"
exit the submenu then scroll down to "Modem and dialling"
Set "Init string" and "Reset string" to be blank
exit the submenu then scroll down to "Save setup as dfl"
* March 26th bundled IOS Advisory Table
http://www.cisco.com/warp/public/707/cisco-sa-20080326-bundle.shtml
Individual publication links are listed below:
* Cisco IOS Virtual Private Dial-up Network Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20080326-pptp.shtml
* Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
mail addr: wargame89@yahoo.it
Vulnerable device: Alice gate 2 plus wifi
Vendor's page: http://aiuto.alice.it/informazioni/modemadsl/alice_gate2adv.html
It seems to be possible to disable the wifi encryption using the following url:
Now, it's not my intent to start some geopolitical debate here, but I've long heard about how some people would block entire countries at the border in order to obviate issues with malicious traffic. There are obviously some issues with this (both from a technical and potential customer standpoint) so I set out to do a bit of research on my own. First thing I found out was that if one does decide to block entire countries, that it's going to be a bit of work from a rule standpoint. Sure, if I wanted to block all of China I could block APNIC, but that would block WAY more than I would want. So I set about finding a good resource for country-by-country IP ranges. Fortunately, Wade Alcorn, one of my colleagues at NGSSoftware turned me on to one that seemed pretty decent (there are a few around, though). But finding the resource was just the beginning... The list I got included 234 countries, comprised by almost 100,000 records of IP ranges.
Making a firewall rule to block China, for instance, would require entering in almost 600 IP ranges - so the "manual" route was clearly out. The thing is, I just didn't want to block countries without more research, so I needed a way to gather some statistics first. Enter ISA Server - as many of you know, I'm a big fan of ISA - it's a true enterprise security product with great scripting capabilities, so I set to work creating an automated method by which to create computer sets in ISA for each country. Basically, I created a SQL database and loaded all the records into it - I then wrote a little COM app to reach out and grab the data by countries, create the sets in ISA, and loop through the different ranges of IP's to add them to the set. It worked great.
This accomplished two things - one, I now have full detailed computer sets for each country to do with as I please. Secondly, I have an excellent way of producing detailed reports for traffic analysis in ISA- this was key. With data collection points set up at different places around the world, I was able to capture 3.1 million inbound connection attempts. The results were quite interesting. While China still led with connection attempts overall, it was interesting to see that Canada was a close second. However, while China's traffic consisted of SQL Slammer, HTTP, SMTP, probes for GhostProxy, etc, almost all of Canada's traffic was MESSENGER spam (UDP 1026,1027,1208). The world leader for HTTP was Brazil, strangely enough. Now, all of this will change based on who and where you are, and the types of services being offered. For example, I only got 5 SMTP connection attempts to my cable modem in a week, but my ISP in BM got hundreds of thousands (understandably) in the same time period. I'll whip up some cool reports for what I found and post them once I get some more data in from different collection points, but the valuable outcome of the project was the creation of these individual country-by-country Computer Sets for ISA.
Beforehand, I had no real way of easily and effectively reporting on traffic patterns by source country. Whether you can or can't block entire countries is your business, but at least this affords someone an easy way of doing research. You may not be able to (or even want) to block HTTP from China, but you very well may want to block SMTP - with ISA and computer sets, you can easily do this. Even if you don't block anything at all, you can use the sets to get rich reports of what kind of traffic your are getting from a particular country. While the validity of the practice of blocking entire countries (or particular protocols for that matter) may be up for debate, you now at least have the option to make your own decision based on factual information - to be sure, you've always been able to do this obviously, it's just been my experience that maintaining rule lists by country/protocol has been quite difficult and time consuming.
I've exported every countries entire list to ISA 2006 .XML format, and have posted them on the HoG site for community use. Since I've automated the Set creation process, I'll be updating the sets each month or so to ensure that changes are processed correctly. I would like to thank NGSSoftware for purchasing the required business services to receive the updates - their donation makes it possible for me to give you updated sets for free.
A full list of all countries' ISA .xml for ISA 2006 is available here:
[ http://warvox.org ]
WarVOX is a suite of tools for exploring, classifying, and auditing
telephone systems. Unlike normal wardialing tools, WarVOX works with the
actual audio from each call and does not use a modem directly. This
model allows WarVOX to find and classify a wide range of interesting
lines, including modems, faxes, voice mail boxes, PBXs, loops, dial
tones, IVRs, and forwarders. WarVOX provides the unique ability to
classify all telephone lines in a given range, not just those connected
to modems, allowing for a comprehensive audit of a telephone system.
More information about this flaw can be found here:
http://www.rooksecurity.com/blog/?p=4
Motorola Surfboard Cable Modems suffer from two Denial of Service attacks by means of Cross Site Request Forgery.
The latest version of The Motorola Surfboard is affected at the time of the writing.
Restarts the modem:
<html>
<form id=1 method=post action=’http://192.168.100.1/configdata.html’>
attacks.
Background
==========
Mgetty is a set of fax and voice modem programs.
Affected packages
=================
-------------------------------------------------------------------
saxdax & drpepperONE
Discovered embedded backdoor to activate telnet/ftp/tftp/web extended admin interface
with Admin privileges, from internal network lan on Alice ADSL CPE Modem/Router, manufactered
by Pirelli based on Broadcom platform.
#############################################################################################
saxdax & drpepperONE
