[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] security hole on local ISP

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] security hole on local ISP
From: Cilia Pretel Gallo <cpretelgallo@xxxxxxxxx>
Date: Tue, 29 Dec 2009 02:23:24 -0800 (PST)

I've recently discovered a security hole on the modems (which double as 
routers) used by a Colombian ISP - ETB.

It so happens that all incoming connections to an IP address on said ISP on 
port 23 or port 80 land on the modem instead of the computer(s) connected to 
it. Even if one tries to redirect those ports to a local machine, the modem 
still gets all the connections on those ports.
Also, connections on ports 23 and 80, from any IP address, will access the 
modem configuration options. Last year that could be done only from private IP 
addresses (i.e. 192.168.0/24), but now it can be done, as I said, from 
anywhere. I've been told that a few lucky users were able to forward port 80, 
but in that case, it's port 8080 that is intercepted by the modem.
The end result is that anyone, from anywhere, can access the modem of anyone on 
ETB to mess up their configuration (e.g. obtaining and changing the client's 
username and password, permanently disconnecting them from the internet, and so 
on) - that is, if they have the administration password. Unfortunately, ETB 
uses the same login/password on all of their modems since 2006, which are 
publicly available on the web.
Login: Administrator
Password: soporteETB2006

The whole IP range 190.24/14 corresponds to ETB clients. Any IP on that range 
where ports 80 and 23 are open is most likely a wide open ETB modem.

Apparently, this issue has been repeatedly reported to ETB, but it always falls 
on deaf ears. They seem to think this is no big deal since nobody knows the 
username and password for the modems - which is not the case, and even if it 
were, they would be easily crackable by brute force.

Peace,

-Cilia



      
____________________________________________________________________________________
¡Obtén la mejor experiencia en la web!
Descarga gratis el nuevo Internet Explorer 8. 
http://downloads.yahoo.com/ieak8/?l=e1

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] security hole on local ISP
  - From: T Biehn
- Re: [Full-disclosure] security hole on local ISP
  - From: Valdis . Kletnieks

Prev by Date: [Full-disclosure] Wapiti 2.2.0 is available - Web application vulnerability scanner
Next by Date: [Full-disclosure] FreeWebshop.org: multiple vulnerabilities
Previous by thread: [Full-disclosure] Wapiti 2.2.0 is available - Web application vulnerability scanner
Next by thread: Re: [Full-disclosure] security hole on local ISP
Index(es):
- Date
- Thread