FYI neue sicherheitsprobleme bei speedtouch

Alle technisch orientierten Fragen und Diskussionen rund um Internet-Zugänge via ADSL und xDSL (alle DSL-basierenden Technologien).
Forumsregeln
Alle technisch orientierten Fragen und Diskussionen rund um Internet-Zugänge via ADSL und xDSL (alle DSL-basierenden Technologien).

Diskussionen ĂĽber Provider (deren Produkte und Dienstleistungen) werden im Bereich PROVIDER gefĂĽhrt.

FYI neue sicherheitsprobleme bei speedtouch

Beitragvon Manuel Capellari » So 05 Aug, 2001 12:36

<HTML>ich hab heute folgendes im bugtraq gefunden, ob was dran ist, oder ob's nur eine finte ist, wird sich wohl bald herausstellen ...

---

Date: Sun, 5 Aug 2001 03:21:58 +0200 (CEST)
From: Andrea Costantino <[email protected]>
X-X-Sender: <[email protected]>
To: <[email protected]>
Subject: Massive attack to Alcatel Speed Touch Home & Pro
Message-ID: <[email protected]>


Hi world of coder,

it seems to be an attack in progress against all Alcatel ASDL modem/router
users.

Using the EXPERT mode vulnerability and the Shimomura's challenge/response
EXPERT mode password calculator, someone has upgraded the firmware of all
Alcatel modem in Italy I've notice of.

Many of my collegues, customer and friends (and obviously me too) have a
new release of their modem's firmware apparently without notice.
Nobody asked for and no ISP support did it at all!
I've asked my ISP customer hotline, and they were completely worried about
it!

It seems that a particular version is being i
nstalled by someone on the
Alcatel after a portscan to detect it.
I've recorded a large portscan against port 21 (the one used to upgrade
the new version) to ALL my public IP, and all IPs of my ISP.

It seems that the intruder scanned with a SYN/FIN portscan to detect the
Alcatel and after he/she put the new firmware version.

I don't know what the hell the new version does, but sometimes during the
upgrade the configuration is lost, so many people blame their ISP or the
telco company for service interruptions, but in truth their ADSL is
running flawlessy, while the modem has became unconfigured.

I suspect that the new version has some kind of backdoors, since the
EXPERT mode is disabled in telnet (while the debugging stuff still works
with the same challenge/response schema), but the normal user is allowed
to do ftp get (while it wasn't allowed to before, thanks Luca), and some
features seems to appear (the debugging stuff I reported before, td
menus).

My modem was upgraded apparently during the period between the 0:00 and
the 4:00 CET of the 3rd of August without loosing any configuration, so
I would't notice anything without a direct check using "software version"
on console or telnet access.

The offending version was:
KHDSAA3.264 with md5 6771623a99d774953d6469ba6f2ccacb

How to downgrade?
First of all, obtain a clean version, with or without Shimonmura's patch
(as you wish). I can't send it on a mailing list for copyright reasons
(really sorry!!!!!!),

The two official versions I saw BEFORE the attack were (trained by their
md5sums):

ae93eedcc6bee9d3c24ba6d0f809784e KHDSAA.134
or
5582c3922a2faae789674b6e0ced7e78 KHDSAA.132


Then put it by ftp on your modem. Just remember to put it (in binary mode,
issue bin command first of all) in the dl directory and exec "quote site gc"
just before the put command.
Now telnet or grab put your favourite console cable (if you have the Pro
version, of course) to your modem, then login (if needed..) and issue

=> software setpassive file = KHDSAA.13x

(put your own version, sub the x with 2 or 4 or whatever..)

=> software switch

the modem reboots
reconnect as fast as you can if you are connected by telnet..

=> software version
just to check if it's running the right version (check the active one!)

=> software deletepassive
delete the 264 one before the modem detects it and reboot with this (it
thinks that the 264 is newer, so it tries to run the latest one..).
if you are unable to delete the new one, try the more powerful console
access if you've a Pro version.


If you apply the patches, remember to disable EVERYTHING (apart from
telnet/ftp access, otherwise you won't be able to download any newer
release). No EXPERT access, no TFTP, no VPI 15 AAL5 TFTP/SNMP access =
less troubles in future.

Remember also that many other backdoors can still exist, since many people
running patched versions get their modem upgraded without notice..


Many thanks to Luca "Bluca" Berra and Michele "BaNzO" Zamboni for their
unvaluable help while thinking and patching everything!


Many "thanks" even to Alcatel people for providing backdoor'd sw and
avoiding public distribution of patches. I hope this incident will
convince them to be more "open" to coder/hacker community, since security
through obscurity is NOT a good way of life, as Windows teach.

Otherwise I wish them to live the hell of many many people calling them to
ask for patches.. :)

---

</HTML>
Manuel Capellari
 

RE: FYI neue sicherheitsprobleme bei speedtouch

Beitragvon Atahualpa » So 05 Aug, 2001 16:18

/sbin/ipchains -A output -i eth0 -p tcp -d 10.0.0.138 21 -l -j DENY

same with 23 and 80 and then 53 and 69 udp

should work too I guess.

Ata
Atahualpa
 

RE: FYI neue sicherheitsprobleme bei speedtouch

Beitragvon Manuel Capellari » So 05 Aug, 2001 16:22

/ipchains/iptables/
Manuel Capellari
 

RE: FYI neue sicherheitsprobleme bei speedtouch

Beitragvon Starship Trooper » Di 07 Aug, 2001 19:33

So
und was soll das jezt heisen? im Klartext,auf der Starseite steht ja immer noch die Topmeldung das Aon die Sicherheit garantiert wie auch immer die das auslegen..

eine Modem Amtauschaktion wĂĽrde sicher teuer kommen,wurde das Bios ĂĽberhaupt jemals erneuert? im letzen Jahr?
Starship Trooper
 


ZurĂĽck zu ADSL & xDSL

Wer ist online?

Mitglieder in diesem Forum: Majestic-12 [Bot] und 118 Gäste