Hi, a "vulnerability" was identified on MoroccoTel Boxes: a telnet server is running, open to the web, with a default password of admin (or 123456) This critical vulnerability can affect the entire network of a Country. Solution: change the default password account or modify the default firmware NB: a new firmware was released, introducing a cipher on the "PPOE password" (one common, publicly available PPOE account is largely used) Discovered by NETpeas research team, NETpeas CERT is trying to contact the ISP More details: Password: telnettry 41.141.*.* -> Response telnet02: **** Copyright (c) 2001 - 2006 Huawei MT882a> *********************************************************** 41.141.*.* -> TELNET PASSWORD FOUND: admin MT882a> show all RAS version: V100R001B022 MoroccoTel 2010/02/26 System ID: $5.0.152.1(RUE0.C2)3.11.2.151 20110602_V001 [Jun 02 2011 13:54:48] romRasSize: 1217226 system up time: 2:45:45 (f2cc9 ticks) bootbase version: VTC_SPI1.5| 2011/05/26 Hostname = MT882a Message = ip route mode = Yes bridge mode = Yes DHCP setting: DHCP Mode = Server Client IP Pool Starting Address = 192.168.1.2 Size of Client IP Pool = 64 Primary DNS Server = 8.8.8.8 Secondary DNS Server = 8.8.4.4 DHCP server leasetime = 86400 TCP/IP Setup: IP Address = 192.168.1.1 IP Subnet Mask = 255.255.255.0 Rip Direction = None Version = Rip-1 Multicast = IGMP-v2 RemoteNode = 0 Rem Node Name = ISP-0(ISP) Encapsulation = PPPoE Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/35 IP Routing mode= Yes Bridge mode = No PPP Username = PPP Password 41.141.*.* -> = ******* PPP Username_ext2 = PPP Password_ext2 = Service name = Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = Yes Multicast = None Default Route node = Yes RemoteNode = 1 Rem Node Name = ISP-1 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel 41.141.1.9 -> Port 80 open 41.141.*.* -> active = Yes VPI/VCI value = 0/35 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 41.141.*.* -> IP address assignment type = Dynamic 41.141.*.* -> SUA = No Multicast = None Default Route node = No RemoteNode = 2 Rem Node Name = ISP-2 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/32 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No RemoteNode = 3 Rem Node Name = ISP-3 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/32 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No RemoteNode = 4 Rem Node Name = ISP-4 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 8/81 IP Routing mode= No Bridge mode = Yes Remote IP 41.141.*.* -> Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No RemoteNode = 5 Rem Node Name = ISP-5 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/100 IP Routing mode= No Bridge mode = Yes Remote IP A 41.141.*.* -> ddr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No sMulticast = None 41.141.*.* -> yDefault Route node = No s RemoteNode = 6 aRem Node Name = ISP-6t sEncapsulation = hRFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 1/39 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No RemoteNode = 7 Rem Node Name = ISP-7 Encapsulation = RFC 1483 Multiplexing = LLC-based Channel active = Yes VPI/VCI value = 0/16 IP Routing mode= No Bridge mode = Yes Remote IP Addr = 0.0.0.0 Remote IP Subnet Mask = 0.0.0.0 IP address assignment type = Dynamic SUA = No Multicast = None Default Route node = No MT882a> RAS version : V100R001B022 MoroccoTel romRasSize : 1217226 bootbase version : VTC_SPI1.5| 2011/05/26 Product Model : SmartAX MAC Address : Default Count 41.141.*.* -> ry Code : FF Boot Module Debug Flag : 00 RomFile Version : 9F RomFile Checksum : dceb RAS F/W Checksum : 87b7 SNMP MIB level & OID : 050000000100000002000000030000000400000005 Main Feature Bits : 86 Other Feature Bits : 93 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 MT882a> 41.141.*.* -> e 41.141.*.* -> ther config --------------- NDIS CONFIGURATION BLOCK ---------------- type=1 flags=0001 Board/Chassis:1 Lines/Board:1 Channels/Lines:2 Total Channel:2 task-id=8041f1f4 event-q=80458c2c(19) data-q=80458c70(1a) func-id=2 board-cfg=8042c8a4 line-cfg=8042c8bc chann-cfg=8042c8d0 board-pp (8042c8f0) 804273fc line-pp (8042c8f4) 8042956c chann-pp (8042c8f8) 804bf8a4 804bfe34 --------------- BOARD DISPLAY --------------------------- ID slot# n-line n-chann status line-cfg chann-cfg 00 0 1 2 0001 8042c8bc 8042c8d0 --------------- LINE DISPLAY --------------------------- ID line# board-id n-chann chann-cfg 00 1 00 2 8042c8d0 --------------- CHANNEL DISPLAY ------------------------- ID chan# line-id board-id address name 00 1 00 00 804bf8a4 enet0 01 2 00 00 804bfe34 enet1 MT882a> -- Jerome Athias - NETpeas VP, Director of Software Engineer Palo Alto - Paris - Casablanca Mobile: +212665346454 www.netpeas.com --------------------------------------------- Stay updated on Security: www.vulnerabilitydatabase.com "The computer security is an art form. It's the ultimate martial art."