Re: multiple vulnerabilities in Alcatel Speed Touch DSL modems

From: Matthew Schalit (mschalitat_private)
Date: Mon Apr 23 2001 - 15:52:19 PDT

Next message: William D. Colburn (aka Schlake): "Re: SECURITY.NNOV: The Bat! <cr> bug"

Previous message: Warren Young: "Re: Redhat 7 insecure umask"
In reply to: Michael A. Nunes: "Re: multiple vulnerabilities in Alcatel Speed Touch DSL modems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Michael A. Nunes" wrote:
>
> Dear Peter & Others,
>
>         I actually contacted Alcatel specifially about the A1000, and
> there seems to be a few different models of the same modem.  My
> particular model number (found on the back of the modem) ends in
> "AB" and Alcatel told me that this means that the modem cannot
> be connected to except by a "Gig'E'Box," whatever that may be.

>                 -- pcmike

Hi folks,

  Here's some model number data if your interested,
from the Alcatel 1000 ADSL High Speed Modem User's
Guide, Edition 01, p.5, Table B:

  Service Type                             Model #
----------------------------------------------------

ATM-25 Service (ATMF)                      3EC 18200 AB

Bridged Service (RFC 1483)                 3EC 18202 AB

Bridged Service (RFC 1483)
Point to Point Service (PPP)               3EC 18202 BB

Bridged Service (RFC 1483) with Filtering
Point to Point Service (PPP)               3EC 18202 DB
-------------------------------------------------------

I've tested an Alcatel 1000 external which has a
model # 3EC 18202AD AB   and that's not a typo.

It's the standard one Pacbell installed when they first
rolled out ADSL with static IP's in the San Francisco
Bay Area.

I can connect to it with telnet, ftp, tftp, and http as
described in the advisory.

Telnet behaves a bit strangely.  Telnetd always skips the
username part, and issues the EXPERT challenge, then waits
for the EXPERT response.  So telnet only works in expert mode.

Ftp downloads/uploads only work in EXPERT mode.
Ftp can browse in normal mode with an empty username and password,
thus enabling downloads/uploads without a password using tftp
(once the directory structure has been ascertained).

It's odd that my model # has the 'AD' in it.  I can only figure
that it is not significant when referenced in comparison to the
Service Type table, above.  This modem is assigned only one IP.

Connection help:
----------------
  Set up one computer as your test box with a nic and connect it
directly to the Alcatel 1000's 10BaseT port using a straight through
cable.  The nic is mdi and the Alcatel 1000 is mdix, so that's why you
use a straight through cable.

  Set up the computer's nic with

    ip addr    :  10.0.0.140
    mask       :  255.255.255.0
    netw       :  10.0.0.0
    bcast      :  10.0.0.255
    default gw :  unset

You're computer should have a route to the 10.0.0.0 network via eth0,
the external nic, so you should be able to ping 10.0.0.138 and get a
response without a default route.  If that works, continue....

Attempt to ftp 10.0.0.138.
Results?  Exact error message?

I had success with this method or setting the whole computer on
a class A /8 network, rather than the class C /24 example I just showed.

Regards,
Matt

Next message: William D. Colburn (aka Schlake): "Re: SECURITY.NNOV: The Bat! <cr> bug"
Previous message: Warren Young: "Re: Redhat 7 insecure umask"
In reply to: Michael A. Nunes: "Re: multiple vulnerabilities in Alcatel Speed Touch DSL modems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 24 2001 - 23:21:56 PDT