unpassworded.dsl.routers.txt

` Kewlhair Security Advisory  
Advisory Name: Router Passwords  
Advisory Released: 03/09/00  
Severity: Moderate  
Summary: An attacker can seize control of an SBC customer=92s router.  
  
  
Overview:  
SBC is currently deploying the Cayman-DSL router to its DSL  
customer=92s.(SBC communications being the parent company for  
Southwestern Bell, Ameritech, Pacific Bell, Nevada Bell, Cellular  
One, and a few more.) With this deployment SBC is neglecting to set  
passwords on the router. Kewlhair has found over 300 of these  
non-pass worded routers.  
  
Description:  
  
Telco engineers often fail to set passwords on DSL modems installed  
at  
Customer sites. The vulnerability affects many different DSL modems.  
The Cayman product is especially vulnerable because it defaults to  
having no Password at all.  
  
As the Telco=92s does often not educate the customers, their modems are  
left vulnerable to intrusion and denial of service events.  
  
Vulnerability:  
  
An individual with malicious intent could easy scan for these devices  
on a DSL providers network, connect to them, and disable them without  
significant effort. In addition, an intruder could disable access to  
the device itself by installing a password (which only they would  
know).  
  
A significant vulnerability is that these devices often can be set  
with  
Static routing tables so packets could be sent through an environment  
where a malicious third party could monitor the traffic.  
  
The Demo:  
  
[ user@xxxx /user]# telnet xxx.xxx.xxx..xxx..  
Trying xxx.xxx.xxx.xxx...  
Connected to xxx.xxx.xxx.xxx.  
Escape character is '^]'.  
  
Terminal shell v1.0  
Cayman-DSL Model 3220-H, DMT-ADSL (Alcatel) plus 4-port hub  
Running GatorSurf version 5.3.0 (build R2)  
( completed login: administrator level)  
  
Cayman-DSLXXXXXX>  
  
  
  
Worse Case:  
Someone writes a script that logs into every one of these routers  
sets the passwords, then changes the ip or kills the interface so it  
no longer works properly. Then causing and SBC engineer to come to  
the home or place of business to fix this problem.  
(I bet that would cost some bucks)  
  
Solutions:  
  
Mandate that the Telco engineers change the default passwords on the  
devices at time of install, and provide literature to the consumer  
advising them of the risks of DSL (or cable) connections to the  
Internet.  
  
Quick solution:  
Set your password on your Cayman router.  
http://cayman.com/security.html#passwordprotect  
  
How do I password protect the Cayman router?  
  
Through the browser:  
1. Browse into the Cayman router.  
2. Click on the " Expert Mode" link.  
  
Through a Telnet session:  
1. First establish a telnet session to the unit or connect serially  
to the console port at 9600 Baud.  
2. At the prompt, type " configure" ( NOTE-all commands are typed  
without quotes) and enter.  
3. At this point you will be at the " top" prompt. Then type "  
system" and enter.  
4. Now you will be at the " system" prompt. Here you type," set  
password" admin and enter.  
5. You will then be prompted for the new password and then be  
prompted to repeat the password. Once you have done this, you will be  
back at the system prompt.  
6. Here you will need to repeat the process, this time for the user  
password, by doing the following steps:  
7. Type, " set password user" and enter. Again you will then be  
prompted for the  
new password an then be prompted to repeat the password. Once this  
is done, you will be at the " system" prompt again.  
Here type," quit" , and you will be prompted, " Save modified  
configuration data [y|n] ?" Type, " yes" and the router is now  
password protected.  
  
NOTE- We recommend that the admin and user password be the same to  
avoid confusion. This approach allows only the admin password to view  
or change the settings.  
  
  
[email protected]  
  
`