what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ZoomX3.txt

ZoomX3.txt
Posted Jul 5, 2004
Authored by Adam Laurie

The Zoom X3 ADSL modem has a backdoor menu on TCP port 254 that uses the factory default password for access. However, even if the password is changed on the main menu, the backdoor system still allows access with it.

tags | advisory, tcp
SHA-256 | eb944cb7eab7847e413a6486cbbc8289960951657ae2411d075260520b0eeb1c

ZoomX3.txt

Change Mirror Download
i have just installed an adsl modem sold under the brand of Zoom X3

http://www.zoom.com/products/adsl_overview.html

and was apalled to find that an nmap scan of the external address
immediately came up with the following:

PORT STATE SERVICE
23/tcp open telnet
80/tcp open http
254/tcp open unknown
255/tcp open unknown

ports 23 and 80 give access to the configuration menu and html interface
as would be expected, but, although you can control access to the html
interface, there is no control over the telnet port other than password.

worse still, telnetting to port 254 gives you access to another menu,
which identifies itself as "ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A)
3.27", and uses the *DEFAULT* HTML management password, even if you have
changed it to something else. i.e. changing the HTML password does not
change this one. from this menu you can change DSL settings and issue a
complete "Factory Reset". there is a menu option to change the password,
but this does not appear to work.

port 255 accepts connections, but I have not investigated further.

at the minimum this carries a risk of a trivial DOS attack (factory
reset and everthing stops working), and may actually have other more
serious implications.

i am disgusted that in this day and age products like this are still
being shipped with such basic insecurities, and, accordingly, will not
be wasting my time by looking into it any further, and will be taking
the router back and exchanging it for something (hopefully) better
thought out.

to their credit, Zoom responded immediately with a workaround when i
reported the problem, so they are clearly already aware. fyi, the
workaround is to create dummy "Virtual Servers" on each of the ports
that blackhole any incoming connections. this appears to work.

connexant list several other high profile retail modem manufacturers and
pc oems, so i leave it as an exercise for the reader to work out other
manufacturer/vulnerability combinations.

http://www.conexant.com/support/md_supportlinks.html

enjoy,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
The Stores http://www.thebunker.net
2 Bath Road http://www.aldigital.co.uk
London W4 1LT mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close