LG Nortel Disclosure / Insecure Configuration / DoS

`# Title: [LG Nortel ADSL modems - Multiple vulnerabilities]  
# Discovered by: Karn Ganeshen  
# Vendor Homepage: [NA]  
# Version Reported: [Board ID: DV2020]+Product Version: S1.064B2.3H0-0 +  
Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e]  
  
*Timelines*  
April, 2015: Vulnerabilities found  
April 2015: Reported to Optus & CERT  
April - October 2015: CERT (US/AUS) attempts to identify vendor / device  
ownership. None found.  
Dec 03, 2015: Public disclosure  
  
*CVE-IDs*  
None (Mitre..?)  
  
*Note*:  
After several months, vendor ownership for this device still remains  
unknown/unconfirmed.  
  
Regardless, it is currently in use, deployed by Optus (Australia), with  
possibly 20-30% of customer base (primarily broadband services - home users  
/ SOHO). So, quite a number up there.  
  
There may be others but I & CERT are not aware of such.  
  
*Device Info*  
Board ID: DV2020  
Product Version: S1.064B2.3H0-0  
Software Version: 3.04L.02V.sip._LE9500.dspApp3341A2pB022f.d19e  
Bootloader (CFE) Version: 1.0.37-4.3  
Wireless Driver Version: 3.131.35.0.cpe0.0Board ID: DV2020  
  
  
*Vulnerabilities*  
  
Authorization flaws, Sensitive Information Disclosure, Insecure  
configuration, Denial of Service  
  
  
*1. Authorization Flaws (HTTP)*  
  
1.1 *Non-admin users can access restricted, Administrative functionality  
(accessible to Admin only)*  
  
LG-Nortel ADSL modem allows three (3) users with different privilege levels  
for administering the device. Administrative ‘admin’ user has complete  
privileges to access and perform all functions on the modem. Other  
non-admin users – ‘support’ and ‘user’ – have restricted functional access  
and can perform limited functions.  
  
A non-admin ‘user’ does not have access to administrative functions via GUI  
menu, i.e. there are no administrative function links *seen/visible* in the  
home page.  
  
However, the application lacks sufficient Authorization controls and a  
‘user’ can still access the administrative functionality via direct url  
access.  
  
For example, a non-admin ‘user’ does not have a menu option to access the  
device configuration file. However, it can still access the file -  
*backupsettings.conf* - by directly accessing the url – http://  
<modem_ip>/backupsettings.conf.  
  
With access to this configuration file, a low-privileged ‘user’ can easily  
access login passwords for ‘admin’ and any other valid users of the modem.  
The login passwords are stored in base64-encoded format, which is a weak  
scheme to secure passwords, and clear-text password(s) can be easily  
obtained.  
  
In a similar manner, low-privileged ‘user’ and ‘support’ logins can also  
access other administrative functions.  
  
1.2 *Application does not secure sensitive configuration details from  
non-admin ‘user’ (HTTP)*  
  
The application allows read-only access to ‘user’ login. However, sensitive  
configuration information such as passwords, keys etc is not restricted  
from the user. All configuration details are readily accessible and  
readable to ‘user’ login.  
  
1.3 *Password Change - Clear-text Password Disclosure*  
  
The application does not secure the newly changed password. Once password  
is changed, the application reveals the new password in address bar, as:  
  
http://<modem_ip>/password.cgi?sptPassword=<new_password_clear_text>  
  
  
This HTTP request contains new, valid password in clear-text.  
  
  
*2. Application does not secure configured passwords (HTTP)*  
  
The application relies on client-side checks only - which can be easily  
bypassed - to hide juicy info like service accounts and respective  
passwords, etc. These passwords are masked and only ***** were shown in the  
corresponding fields.  
  
The following HTTP GET request shows capture of *masked *SIP / voip  
password(s):  
  
GET /voicesipset.cmd?proxyAddr=sip11.yesphone.optus.com.au  
&proxyPort=5060&regAddr=sip11.yesphone.optus.com.au  
&regPort=5060&extension1=<phone-num-removed>&extension2=&password1=<  
password-removed>&password2  
=&ifName=ppp_8_32_1&servermode=proxy&telurl=sip&regexpiry=1800&hostname=  
sip11.xxx.xxx.com.au&localport=5060&display1=<phone-num-removed>  
&display2=&authuser1=<phone-num-removed>&authuser2= HTTP/1.1  
  
  
*3. Insecure configuration (Telnet)*  
  
3.1 *No separation of privileges*  
  
After logging in over Telnet as ‘user’, the system still permits running  
system level commands and to read sensitive files from the file-system.  
  
- *shadow* is not used, all hashes are stored in *passwd* readable by  
everyone, and all system users are uid 0, gid 0, root privileged  
superusers. :)  
  
  
3.2 *Application does not secure sensitive configuration details from  
‘user’*  
  
The application permits ‘user’ login to view sensitive information in  
modem’s configuration. To view configuration, Telnet administrative console  
provides a command - *dumpcfg* - to ‘user’. Running this command as ‘user’  
login dumps the device configuration information. This information includes  
sensitive information such as passwords and keys - all in clear-text.  
  
  
*4. Authorization flaws + Denial of Service (Telnet)*  
  
After logging in to the modem, *passwd* command can be used to change  
passwords for all three users – ‘admin’, ‘support’, and ‘user’.  
  
> passwd  
  
Usage: passwd <admin|support|user> <password>  
  
passwd –help  
  
A non-admin ‘user’ account should ideally be restricted to change passwords  
of any other accounts.  
  
*Ist attempt - Failed*  
  
> passwd admin admin1  
  
Connection closed by foreign host.  
  
The first attempt to change ‘admin’ login password fails and the telnet  
connection drops. Telnet service has now crashed, & device will need a  
reboot.  
  
First attempt -> application crash.  
  
I.e. Telnet daemon / service can be easily crashed by logging in as a  
low-privileged user and attempting to perform an unauthorized action, such  
as trying to change password for ‘admin’ user.  
  
In the second attempt, the command executes and password for ‘admin’ gets  
changed successfully.  
  
*2nd attempt - Successful*  
  
> passwd admin admin1  
  
>  
  
  
Following this password change, Telnet service again turns non-responsive  
within 10-15 seconds and the connection drops.  
  
Second attempt -> application changes the pass :)  
  
There is another way to crash Telnet service. Login to Telnet as user, drop  
to the underlying BusyBox shell and issue a command  
  
#telnet 10.1.1.1  
  
> sh  
  
> vconfig -> DoS / crash  
  
  
+++++  
  
--   
Best Regards,  
Karn Ganeshen  
--   
Best Regards,  
Karn Ganeshen  
  
  
`