21-08-2004
Multiple Vulnreabilities in the Paradyne ASDL modem (ver)

        Though Linux runs on the box, security measures are very poorly implemented. We will discuss what we have found till now. However, we expect that there will be much more vulnreabilities on this box due to fact that security was not really in mind when these units were designed.

1- Users and permissions:
The box has three users [admin, user, support] which have default passwords. only support could login from the internet. user and admin could only log from the internal network. there is an httpd server that could be used to login and manipulate the unit. Every account has differnt function to do. for example, the user account cannot change adsl configuration. Surprisingly enough if try to telnet the unit and login with the user account and "cat /etc/group" you will find that all accounts are in the one group which is the root group "root::0:root,admin,support,user". but that is not all,lets cat /etc/passwd.
admin:xxxxxxxxxxxxx:0:0:Administrator:/:/bin/sh
support:xxxxxxxxxxxxx:0:0:Technical Support:/:/bin/sh
user:xxxxxxxxxxxxx:0:0:Normal User:/:/bin/sh
the encrypted passwords are not shadowed.......! look closer..... all users have the same user ID !!!! you dont have to escalate all users are admins.
It may not be an important but there is one issue that is left unwrapped which is why the admin and user accounts are unable to login from the internet.

2- Shell oddities:
the login shell provides you with limited commands, no "cd" and no "ls".
"> help

?
help
logout
reboot
adsl
atm
brctl
cat
df
dltftp
echo
ifconfig
kill
arp
defaultgateway
dhcpserver
dnsrelay
lan
passwd
ppp
remoteaccess
restoredefault
route
save
swversion
wan
ping
ps
pwd
sysinfo
traceroute"
But if you do the following "echo ./*" you will have something near but not as good as ls.
> echo ./*
./bin ./dev ./etc ./lib ./linuxrc ./mnt ./proc ./sbin ./upnp ./usr ./var ./webs
ok, lets browse for a while...
> echo ./bin/*
./bin/[ ./bin/adsl ./bin/adslctl ./bin/atm ./bin/atmctl ./bin/brctl ./bin/busybox ./bin/cat ./bin/cfm ./bin/df ./bin/dhcpc ./bin/dhcpd ./bin/dnsprobe ./bin/dumpmem ./bin/ebtables ./bin/echo ./bin/expr ./bin/false ./bin/fdefault ./bin/igmp ./bin/iptables ./bin/kill ./bin/ledctrl ./bin/login ./bin/mkdir ./bin/mount ./bin/msh ./bin/netctl ./bin/ping ./bin/pppd ./bin/ps ./bin/pvc2684ctl ./bin/pvc2684d ./bin/pwd ./bin/restart ./bin/ripd ./bin/rm ./bin/sendarp ./bin/setmem ./bin/sh ./bin/sysinfo ./bin/test ./bin/true ./bin/tty ./bin/udhcpd ./bin/upnp ./bin/zebra
> echo ./sbin/*
./sbin/halt ./sbin/ifconfig ./sbin/init ./sbin/insmod ./sbin/klogd ./sbin/logread ./sbin/modprobe ./sbin/rmmod ./sbin/route ./sbin/syslogd
> echo ./usr/*
./usr/bin
> echo ./usr/bin/*
./usr/bin/top ./usr/bin/traceroute
>
apparently these are more commands than what shows in the help output.
2.1- /bin/[ this is very strange for a file name, we still didnt figure out a way to run it, but we were able to cat it and crash the telnet daemon :).
2.2- /bin/sh
> sh
BusyBox v0.60.4 (2003.11.03-03:35+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
#
# ls
ls: not found
# cd
# cd /bin
# pwd
/bin
well, at least we have got a "cd".
another good news is that some of the other commands that did not work before are working in this shell. like mount...
before sh
> echo $PATH
/bin:/sbin:/usr/bin
> mount
mount: not found
after sh
# echo $PATH
/bin:/sbin:/usr/bin
# mount
/dev/mtdblock0 on / type cramfs (ro)
/proc on /proc type proc (rw)
tmpfs on /var type tmpfs (rw)

2.2.1 help is not working in the shell
2.2.2 msh is not different from sh (till now) and help doesn't work in it too.


3- adsl registration account password revealed
> ps
  PID TTY     Uid        Size State Command
    1         admin      1216   S   init
    2         admin         0   S   [keventd]
    3         admin         0   R   [ksoftirqd_CPU0]
    4         admin         0   S   [kswapd]
    5         admin         0   S   [bdflush]
    6         admin         0   S   [kupdated]
    7         admin         0   S   [mtdblockd]
   13         admin      1272   S   -sh
   39         admin      1472   S   cfm
   63         admin       600   S   pvc2684d
  116         admin      1496   S   telnetd
  122         admin      1528   S   httpd
  127         admin      1168   S   pppd -i nas33 -u myusername -p mypassword -c 33 -m
  241         admin       600   S   /bin/dnsprobe
 4642         admin      1184   S   klogd
 4644         admin      1228   S   syslogd -C -l 7
 4645         admin      1184   S   klogd
 4647         admin      1224   S   syslogd -C -l 7
 4720         admin       720   S   upnp -L br0 -W ppp33 -D
 6132 ttyp1   admin      1496   S   telnetd
 6133 ttyp1   admin      1260   S   sh -c ps
 6134 ttyp1   admin      1212   R   ps

as you can see the username and the password are plain text.

4-