FX <fxat_private> said: > > ftp> open malware.com > > Connected to malware.com. > > 220 Sprint FTP version 1.0 ready at Wed Jan 5 17:20:47 2000 > > User (malware.com:(none)): > > 331 Enter PASS command > > Password: > > 230 Logged in > > ftp> get rom-0 > > I'm not sure if this applies to the Zyxel boxes you found, but there is another > file called spt.dat, which contains all password and account information. More > details can be found here: http://www.DarkLab.org/archive/msg00144.html > > FX Yes FX you are correct. After a good swift kick in the nuts, Sprint has done and is still doing an admirable job in fixing this. Sufficient time has elapsed to advise this. The only additional note is to strongly suggest that the users change their master account password as well: <!-- Friday, January 24, 2003 Ladies and Gentlemen: Reference the information provided to you on Monday and Tuesday of this week and subsequent announcements on Thursday this week: http://www.wired.com/news/infostructure/0,1377,57342,00.html http://www.securityfocusonline.com/archive/1/307793/2003-01-22/2003- 01-28/0 This message serves to inform you that your entire user base is open to full and complete remote compromise through this modem. This includes full access to: 1. the internet via adsl and dialup connection 2. pop3 email retrieval 3. webmail 4. web based user account management including user name and address and billing details The problem lies in the fact that the modem you have provided to your user base is installed with a commonly known default login and password. Once access has been gained to this modem, it is trivially possible to retrieve a storage file contained within the modem which includes the user's name and password. With this information it is possible to access all aspects of the user account as described above. Example: 00000020: 1234 00000042: malst 00000060: Sprint 00000082: mal Ware 000000AC: public 000000CC: public 000000EC: public 00001086: dhcppc 00001C54: MyISP 00001DDE: grandpamalware 00001DEB: malware. 00001DFE: ware 00002112: mal 0x20 the root password in clear 0x40 SNMP Location 0x60 Device name 0x80 SNMP Sys Contact 0xac SNMP read community 0xcc SNMP read community 0xec SNMP read community 0x188 SUA Server IP address 0x1c54 First PPPoE Account config name (Default: ChangeMe) 0x1dde First PPPoe Username 0x1dfe First PPPoe Password 0x21dc Second PPPeE Account config name Where username: grandpamalwareat_private and pass: ware inputted into a dialup connection with specific access number, will function, where inputted into a pop3 mail client with corresponding pop3 server, will retrieve mail accordingly, where inputted into a web based mail access, will allow for access and where access to myaccount information is required, will allow for authentication and login. In other words, the single user id and email address along with the single pass all contained within the file on the modem will allow access to everything! The file on the modem is a small dat file called spt.dat therein, in clear text, lies all this information. This information is already in the public domain and you need to urgently fire-wall your user base ports http, telnet, and ftp while you solve this problem. You must assume that malicious parties are well-aware of and are probably exploiting it right now. Today is Friday. Nothing has been done about this to date. Your entire user base is at risk. We expect some sort of substantial action by Tuesday latest. Failing that, we will discuss this in technical depth on all relevant security lists. End Call cc: Wired @pc-radio.com Symantec @securityfocus.com CERT @cert.org Earthlink @corp.earthlink.net abuseat_private securityat_private Sprint @mail.sprint.com nocat_private abuseat_private securityat_private -- http://www.malware.com --> Date: Tue, 28 Jan 2003 17:01:25 -0500 <!-- Sprint is working closely with its DSL modem manufacturer to ensure the security and integrity of its Sprint-provided DSL equipment. Sprint is dedicated to providing its customers a secure broadband Internet network, and to that end, recently identified an additional layer of security that can help protect customers' DSL modems.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> The company began notifying its customers - one-by-one - in a very targeted initiative to provide guidance on ensuring their DSL service is reliable and secure. We are consulting with our customers and walking them through the relatively simple steps to ensure an additional layer of security on their modem. Proactively, we are reaching out to our customers in three different ways - outbound telephone calls, e-mail messages and a customer letter mailed today (Jan. 28). These communications are directed at helping ensure the safety and security of customers' DSL modems. Additionally, we are informing all DSL customers who call our technical assistance group of the procedures for securing their modem. Sprint is committed to providing safe, reliable and secure voice and data services to all its customers. When an event occurs that threatens that safety, reliability and security, we take it very seriously and we will continue to do everything we can to contact our customers. Director-Customer Operations --> Notes: users can address the issue here: http://csb.sprint.com/home/local/dslhelp/release645m.html -- http://www.malware.com
This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 10:31:53 PST