Entran en el iMac de un usuario a través del Modem Zyxel hackeado

Según se ha comentado en la lista Mac-club.

De: Alberto Lozano

Fecha: miér. 18 dici, 2002 1:23:33 AM Europe/Madrid

A un miembro de esta lista, le comenzó a funcionar muy lento su iMac TFT.

No paraba de salirle la sombrilla y hasta el mover el cursor le suponía un perdida de tiempo considerable.

Investigando, investigando, al hombre se le ocurrió mirar (vaya usted a saber por qué) la configuración de su router Zixel ADSL.

Y el hombre se lleva una sorpresa mayúscula:

El router se revela de esta manera cuando conecta su Explorer al mismo:

System Information

System name—–Te acabo de hackear

Location —–Te acabo de hackear

Adminstrator —–Te acabo de hackear

Antes, él había cambiado la clásica contraseña por defecto de Telefónica (adminttd) por una propia.

O sea que alguien ha entrado a su Xyxel, de éste a su Mac y le ha hecho una perrería en ambos.

El listero, cuando se pueda volver a conectar lo confirmará, está ahora en el trance de borrar todo su disco duro y reinstalar el sistema.

Yo estoy buscando agujeros de seguridad en el Zyxel y averiguando como se tapan.

Moraleja:

Cuidadín, cuidadín.

De: Alberto Lozano

Fecha: miér. 18 dici, 2002 2:52:00 AM Europe/Madrid

El macos X es Unix.

Desde el router se puede hacer un telnet al X… y si el usuario no es cuidadoso con algunas cosas, se pueden hacer virguerías, tito, virguerías.

Imagina que el usuario gana privilegios de rott.

Imagina que te deja un gusano por TFTP (eso me ha pasado a mi) que le envía al fulano tu fichero de passwords del X. Hay un millón de utilidades para desmontar passwords de Unix.

Una vez tiene tu pass de admin y/o root, el resto es el estribillo.

Lo más divertido que te puede hacer es enviarte un comando “rm -r *” (borrar todo tu disco de modo recursivo, para que no quede nada dentro del mismo.

Hay que configurar el router para que no tenga acceso posible alguno desde la WAN. Hay que activar la firewall del Macos X.

Son dos pasos que debiera de realizar cualquie persona que se conecte con macos X u otro sabor de Unix, Unix vía ADSL.

De: Alberto Lozano

Fecha: miér. 18 dici, 2002 10:26:34 AM Europe/Madrid

Summary The ADSL routers P642R and P642R-I have their administrative Telnet and FTP services exposed to the WAN side in default configuration. Additionally, there is the traditional ZyXEL default password in place, which many users fail to change. This combination leaves a lot of Prestiges vulnerable to remote attacks, resulting in: DoS, malicious firmware being installed, configuration changes, possibly retrieval of ISP login credentials, attacks to the internal LAN by bouncing off the router, and perhaps more. In addition to that, there seems to be a minor configuration problem: it is not possible to apply more than one filter rule to the Remote Node filter list.

The Prestige 642M model is not affected, as it has no IP address on its WAN side (PPPoE). In effect, its administrative services are only accessible from the LAN. The same holds true for P642R and 642R-I models when used in “bridge mode”, with PPPoE. However, that configuration is very unlikely to be in widespread use.

As the Prestige 642 models use Alcatel chipsets, but have their own OS (ZyNOS), they seem to be not vulnerable to the recently discovered open TFTP service and flawed EXPERT mode challenge/response authentication vulnerabilities that affected Alcatel Speed Touch ADSL devices.

Details Vulnerable systems:

ZyXEL Prestige 100

ZyXEL Prestige 202

ZyXEL Prestige 642R

ZyXEL Prestige 642R-I

Immune systems:

ZyXEL Prestige 100 V2.20? (F)

ZyXEL Prestige 100IH (F)

ZyXEL Prestige 310 (C/F)

ZyXEL Prestige 312 (F)

ZyXEL Prestige 314 (C)

ZyXEL Prestige 642M (–)

ZyXEL Prestige 642M-I (–)

Netgear RT311 (C)

Netgear RT314 (C/F)

Legend:

(–) Does not listen on WAN interface at all

(C) Can be or is configured to listen only on LAN

(F) Filters for FTP, telnet, TFTP and/or HTTP in place

Out of the box, the Prestige 642R(-I) seem to come with the administrative interface wide open on the WAN side, accessible from anywhere on the Internet. Since firmware release AJ.3, there are supposed to be filters for FTP and Telnet on the WAN side. The firmware release notes say for AJ.3:

In default ROM file settings, System will block incoming FTP, TFTP, TELNET, and WEB traffic.

However, in the same release notes, the settings for the remote node filters are shown as:

Menu 11.5 – Remote Node Filter

Input Filter Sets:

protocol filters=

device filters=

Output Filter Sets:

protocol filters=

device filters=

As you can see, no filters are in place, even though they are otherwise configured correctly. They just did not apply them to the remote node. The firmware release notes implicate that the technician wanted them to block the traffic in default configuration; however, the documentation states somewhere that those filters are not applied yet. Additionally, it seems that the menu 11.5 is broken, i.e. one can only assign a single filtering rule per set of filters. See SOLUTION section below for details.

The Prestige is not vulnerable to the Alcatel TFTP vulnerability because it only allows TFTP access if the source IP of the TFTP request is logged in via telnet at the same time. The Prestige is not vulnerable to the Alcatel EXPERT mode vulnerability, as there seems to be no expert mode.

Implications:

An attacker knowing the password can access via WAN the administration telnet interface, and via FTP/TFTP the raw configuration memory image (“rom-0”), and to the firmware files itself (“ras”). It may be possible to retrieve the login credentials to the ISP this way. An attacker can of course change any configuration through the telnet interface, including the access password of the router itself, rendering it inaccessible.

Certainly a lot more interesting is the possibility of inserting new port forwarding rules, what ZyXEL calls setting up “SUA Servers”. This way, an attacker can hop off the router to attack hosts on the LAN, which are thought to be safe behind NAT (Single User Account, or SUA, in ZyXEL terminology). Forwarding ports 137-139 to a windows host on the LAN would probably offer some insight into wide open SMB shares on many networks behind such an ADSL router. Finding hosts on the LAN is assisted by the built-in ping feature of the Prestige.

Whoever knows the password can upload new firmware of his choice across the Internet. This not only includes legitimate firmware, but also modified firmware, which can be anything from not working at all, to incorporating backdoors. There are two checksums, one for the firmware file as a whole, and one for the ZyNOS operating system itself.

If one believes the recent warning from Italy, then attacks on ADSL router firmware are already taking place out there.

Solution:

Obviously, all owners of a Prestige 642R or 642R-I should change their password to something other than the default.

ZyXEL will release a fixed firmware that has the telnet and FTP access closed down for good on the WAN side. Not just those filters in place, but closed down properly – doesn’t even listen on the WAN interface at all – as now setting up “SUA Servers” on ports 21 and 23 will for obvious reasons fail, even though the Prestige documentation claims it does (they even use them in the example SUA Server Setup). For suiting all possible applications, it should be a configurable whether the device listens on the WAN interface or not; with factory setting set to not listening. If this is already configurable today, e.g. through the command line mode, then ZyXEL should document it, and set the default settings to not listening.

For now, owners should apply the FTP_WAN and TELNET_WAN filter rules on their Prestige that intercepts incoming connections to ports 21 and 23. The only thing you should need to do is hook filter rules 3 and 5 into the Remote Node Setup (menu 11.1 -> 11.5), like so:

Menu 11.5 – Remote Node Filter

Input Filter Sets:

protocol filters=3,5

device filters=

Output Filter Sets:

protocol filters=

device filters=

Unfortunately, though this is how it should work – according to the documentation you should be able to specify up to 4 filters delimited by commas – it does not.

ADSL providers could periodically scan their address ranges for vulnerable Prestige’s, either using their own scripts or the one at http://dragon.roe.ch/adsl-probe.tar.bz2, in order to notify people with vulnerable Prestiges.

Vendor:

It seems that some ZyXEL regional offices have reacted and reworked the configuration of all P642R firmware releases. Their fixed firmware is available at ftp://ftp.europe.zyxel.com/.

Mac-club