# Title: [LG Nortel ADSL modems - Multiple vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [NA]
# Version Reported: [Board ID: DV2020]+Product Version: S1.064B2.3H0-0 +
Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e]

*Timelines*
April, 2015: Vulnerabilities found
April 2015: Reported to Optus & CERT
April - October 2015: CERT (US/AUS) attempts to identify vendor / device
ownership. None found.
Dec 03, 2015: Public disclosure

*CVE-IDs*
None (Mitre..?)

*Note*:
After several months, vendor ownership for this device still remains
unknown/unconfirmed.

Regardless, it is currently in use, deployed by Optus (Australia), with
possibly 20-30% of customer base (primarily broadband services - home users
/ SOHO). So, quite a number up there.

There may be others but I & CERT are not aware of such.

*Device Info*
Board ID: DV2020
Product Version: S1.064B2.3H0-0
Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e
Bootloader (CFE) Version: 1.0.37-4.3
Wireless Driver Version: 3.131.35.0.cpe0.0Board ID: DV2020


*Vulnerabilities*

Authorization flaws, Sensitive Information Disclosure, Insecure
configuration, Denial of Service


*1. Authorization Flaws (HTTP)*

1.1 *Non-admin users can access restricted, Administrative functionality
(accessible to Admin only)*

LG-Nortel ADSL modem allows three (3) users with different privilege levels
for administering the device. Administrative ‘admin’ user has complete
privileges to access and perform all functions on the modem. Other
non-admin users – ‘support’ and ‘user’ – have restricted functional access
and can perform limited functions.

A non-admin ‘user’ does not have access to administrative functions via GUI
menu, i.e. there are no administrative function links *seen/visible* in the
home page.

However, the application lacks sufficient Authorization controls and a
‘user’ can still access the administrative functionality via direct url
access.

For example, a non-admin ‘user’ does not have a menu option to access the
device configuration file. However, it can still access the file -
*backupsettings.conf* - by directly accessing the url – http://
<modem_ip>/backupsettings.conf.

With access to this configuration file, a low-privileged ‘user’ can easily
access login passwords for ‘admin’ and any other valid users of the modem.
The login passwords are stored in base64-encoded format, which is a weak
scheme to secure passwords, and clear-text password(s) can be easily
obtained.

In a similar manner, low-privileged ‘user’ and ‘support’ logins can also
access other administrative functions.

1.2 *Application does not secure sensitive configuration details from
non-admin ‘user’ (HTTP)*

The application allows read-only access to ‘user’ login. However, sensitive
configuration information such as passwords, keys etc is not restricted
from the user. All configuration details are readily accessible and
readable to ‘user’ login.

1.3 *Password Change - Clear-text Password Disclosure*

The application does not secure the newly changed password. Once password
is changed,  the application reveals the new password in address bar, as:

http://<modem_ip>/password.cgi?sptPassword=<new_password_clear_text>


This HTTP request contains new, valid password in clear-text.


*2. Application does not secure configured passwords (HTTP)*

The application relies on client-side checks only - which can be easily
bypassed - to hide juicy info like service accounts and respective
passwords, etc. These passwords are masked and only ***** were shown in the
corresponding fields.

The following HTTP GET request shows capture of *masked *SIP / voip
password(s):

 GET /voicesipset.cmd?proxyAddr=sip11.yesphone.optus.com.au
&proxyPort=5060&regAddr=sip11.yesphone.optus.com.au
&regPort=5060&extension1=<phone-num-removed>&extension2=&password1=<
password-removed>&password2
=&ifName=ppp_8_32_1&servermode=proxy&telurl=sip&regexpiry=1800&hostname=
sip11.xxx.xxx.com.au&localport=5060&display1=<phone-num-removed>
&display2=&authuser1=<phone-num-removed>&authuser2= HTTP/1.1


*3. Insecure configuration (Telnet)*

3.1 *No separation of privileges*

After logging in over Telnet as ‘user’, the system still permits running
system level commands and to read sensitive files from the file-system.

- *shadow* is not used, all hashes are stored in *passwd* readable by
everyone, and all system users are uid 0, gid 0, root privileged
superusers. :)


3.2 *Application does not secure sensitive configuration details from
‘user’*

The application permits ‘user’ login to view sensitive information in
modem’s configuration. To view configuration, Telnet administrative console
provides a command - *dumpcfg* - to ‘user’. Running this command as ‘user’
login dumps the device configuration information. This information includes
sensitive information such as passwords and keys - all in clear-text.


*4. Authorization flaws + Denial of Service (Telnet)*

After logging in to the modem, *passwd* command can be used to change
passwords for all three users – ‘admin’, ‘support’, and ‘user’.

> passwd

Usage: passwd <admin|support|user> <password>

       passwd –help

A non-admin ‘user’ account should ideally be restricted to change passwords
of any other accounts.

*Ist attempt - Failed*

> passwd admin admin1

Connection closed by foreign host.

The first attempt to change ‘admin’ login password fails and the telnet
connection drops. Telnet service has now crashed, & device will need a
reboot.

First attempt -> application crash.

I.e. Telnet daemon / service can be easily crashed by logging in as a
low-privileged user and attempting to perform an unauthorized action, such
as trying to change password for ‘admin’ user.

In the second attempt, the command executes and password for ‘admin’ gets
changed successfully.

*2nd attempt - Successful*

> passwd admin admin1

>


Following this password change, Telnet service again turns non-responsive
within 10-15 seconds and the connection drops.

Second attempt -> application changes the pass :)

There is another way to crash Telnet service. Login to Telnet as user, drop
to the underlying BusyBox shell and issue a command

#telnet 10.1.1.1

> sh

> vconfig     -> DoS / crash


+++++

-- 
Best Regards,
Karn Ganeshen
-- 
Best Regards,
Karn Ganeshen