Hi world of coder, it seems to be an attack in progress against all Alcatel ASDL modem/router users. Using the EXPERT mode vulnerability and the Shimomura's challenge/response EXPERT mode password calculator, someone has upgraded the firmware of all Alcatel modem in Italy I've notice of. Many of my collegues, customer and friends (and obviously me too) have a new release of their modem's firmware apparently without notice. Nobody asked for and no ISP support did it at all! I've asked my ISP customer hotline, and they were completely worried about it! It seems that a particular version is being installed by someone on the Alcatel after a portscan to detect it. I've recorded a large portscan against port 21 (the one used to upgrade the new version) to ALL my public IP, and all IPs of my ISP. It seems that the intruder scanned with a SYN/FIN portscan to detect the Alcatel and after he/she put the new firmware version. I don't know what the hell the new version does, but sometimes during the upgrade the configuration is lost, so many people blame their ISP or the telco company for service interruptions, but in truth their ADSL is running flawlessy, while the modem has became unconfigured. I suspect that the new version has some kind of backdoors, since the EXPERT mode is disabled in telnet (while the debugging stuff still works with the same challenge/response schema), but the normal user is allowed to do ftp get (while it wasn't allowed to before, thanks Luca), and some features seems to appear (the debugging stuff I reported before, td menus). My modem was upgraded apparently during the period between the 0:00 and the 4:00 CET of the 3rd of August without loosing any configuration, so I would't notice anything without a direct check using "software version" on console or telnet access. The offending version was: KHDSAA3.264 with md5 6771623a99d774953d6469ba6f2ccacb How to downgrade? First of all, obtain a clean version, with or without Shimonmura's patch (as you wish). I can't send it on a mailing list for copyright reasons (really sorry!!!!!!), The two official versions I saw BEFORE the attack were (trained by their md5sums): ae93eedcc6bee9d3c24ba6d0f809784e KHDSAA.134 or 5582c3922a2faae789674b6e0ced7e78 KHDSAA.132 Then put it by ftp on your modem. Just remember to put it (in binary mode, issue bin command first of all) in the dl directory and exec "quote site gc" just before the put command. Now telnet or grab put your favourite console cable (if you have the Pro version, of course) to your modem, then login (if needed..) and issue => software setpassive file = KHDSAA.13x (put your own version, sub the x with 2 or 4 or whatever..) => software switch the modem reboots reconnect as fast as you can if you are connected by telnet.. => software version just to check if it's running the right version (check the active one!) => software deletepassive delete the 264 one before the modem detects it and reboot with this (it thinks that the 264 is newer, so it tries to run the latest one..). if you are unable to delete the new one, try the more powerful console access if you've a Pro version. If you apply the patches, remember to disable EVERYTHING (apart from telnet/ftp access, otherwise you won't be able to download any newer release). No EXPERT access, no TFTP, no VPI 15 AAL5 TFTP/SNMP access = less troubles in future. Remember also that many other backdoors can still exist, since many people running patched versions get their modem upgraded without notice.. Many thanks to Luca "Bluca" Berra and Michele "BaNzO" Zamboni for their unvaluable help while thinking and patching everything! Many "thanks" even to Alcatel people for providing backdoor'd sw and avoiding public distribution of patches. I hope this incident will convince them to be more "open" to coder/hacker community, since security through obscurity is NOT a good way of life, as Windows teach. Otherwise I wish them to live the hell of many many people calling them to ask for patches.. :) Baciamo le mani, k0
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 20:36:20 PDT