for clarity.. all items are available via WAN by default updated Advisory at http://exploitlabs.com/files/advisories/EXPL-A-2005-002-samsung-adsl.txt
----- Original Message ----- From: "Morning Wood" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, March 21, 2005 12:51 PM Subject: [Full-disclosure] Samsung ADSL Modem Vulnerability > ------------------------------------------------------------ > - EXPL-A-2005-002 exploitlabs.com Advisory 031 - > ------------------------------------------------------------ > - Samsung ADSL Modem - > > > > > > > AFFECTED PRODUCTS > ================= > Samsung ADSL Modem > > Samsung Eletronics > http://www.samsung.com > > > DETAILS > ======= > 1. Arbitrary reading of files > 2. Default root password > 3. root file system access > > > Known issues exist in Boa httpd as per: > FreeBSD-SA-00:60 Security Advisory > > http://www.securiteam.com/unixfocus/6G0081P0AI.html and > http://lists.insecure.org/lists/bugtraq/2000/Oct/0445.html > > note: > This is a hardware based product with built in httpd for > remote access, this is a seperate issue than the ones > formaly presented above, but carry the same implications. > > > Identification: > > HTTP/1.0 400 Bad Request > Date: Sat, 03 Jan 1970 17:57:18 GMT > Server: Boa/0.93.15 > Connection: close > Content-Type: text/html > > Modem vendor Samsung Electronics (co) modem > co chipset vendor b500545354430002 > cpe chipset vendor Samsung Electronics (co) cpe chipset > software version SMDK8947v1.2 Jul 11 2003 10:00:01 > ADSL DMT version a-110.030620-10130710 > > > Samsung ADSL modems run uClinux OS > http://www.uclinux.com > > note: > Depending on the implimentation, other products > using a combination of Boa / uClinux may be > affected as well. > > > Item 1 > ===== > http://[someSamsung.ip]/etc/passwd > http://[someSamsung.ip]/etc/hosts > http://[someSamsung.ip]/bin/ > http://[someSamsung.ip]/dev/ > http://[someSamsung.ip]/lib/ > http://[someSamsung.ip]/tmp/ > > http://[someSamsung.ip]/var/ppp/chap-secrets > > http://[someSamsung.ip]/bin/sh > > Any remote user may request any file present > in the router/modem OS file system. > Files can be fetched unauthenticated via a > GET request in a browser. > > > Item 2 > ===== > Default user login / passwords exist in both > httpd ( http://[host]/cgi-bin/adsl.cgi) and telnet ports > > root/root > admin/admin > user/user > > > Item 3 > ====== > By telneting to the device and loging in as > root/root, remote users my access the filesystem. > The modem provides 256mb of ram for OS and > file system operations. In this implimentation > there is aprox 120mb free file system space > which allows for the posibility for remote > attackers to use the file system for malicious > communication and file storage. This allows > many scenarios such as a storing worm and/or > viral code. > > #echo "some bad data" >file > > > > SOLUTION: > ========= > none to date > > Samsung has been contacted > No patch released > > > > Credits > ======= > This vulnerability was discovered and researched by > Donnie Werner of exploitlabs > > Donnie Werner > > mail: [EMAIL PROTECTED] > -- > web: http://exploitlabs.com > web: http://zone-h.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
