Exploit Labs Security Advisory 2005.2

`------------------------------------------------------------  
- EXPL-A-2005-002 exploitlabs.com Advisory 031 -  
------------------------------------------------------------  
- Samsung ADSL Modem -  
  
  
  
  
  
  
AFFECTED PRODUCTS  
=================  
Samsung ADSL Modem  
  
Samgsung Eletronics  
http://www.samsung.com  
  
  
DETAILS  
=======  
1. Arbitrary reading of files  
2. Default root password  
3. root file system access  
  
  
Known issues exist in Boa httpd as per:  
FreeBSD-SA-00:60 Security Advisory  
  
http://www.securiteam.com/unixfocus/6G0081P0AI.html and  
http://lists.insecure.org/lists/bugtraq/2000/Oct/0445.html  
  
note:  
This is a hardware based product with built in httpd for  
remote access, this is a seperate issue than the ones  
formaly presented above, but carry the same implications.  
  
  
Identification:  
  
HTTP/1.0 400 Bad Request  
Date: Sat, 03 Jan 1970 17:57:18 GMT  
Server: Boa/0.93.15  
Connection: close  
Content-Type: text/html  
  
Modem vendor Samsung Electronics (co) modem   
co chipset vendor b500545354430002   
cpe chipset vendor Samsung Electronics (co) cpe chipset   
software version SMDK8947v1.2 Jul 11 2003 10:00:01   
ADSL DMT version a-110.030620-10130710  
  
  
Samsung ADSL modems run uClinux OS  
http://www.uclinux.com  
  
note:  
Depending on the implimentation, other products  
using a combination of Boa / uClinux may be  
affected as well.   
  
  
Item 1  
=====  
http://[someSamsung.ip]/etc/passwd  
http://[someSamsung.ip]/etc/hosts  
http://[someSamsung.ip]/bin/  
http://[someSamsung.ip]/dev/  
http://[someSamsung.ip]/lib/  
http://[someSamsung.ip]/tmp/  
  
http://[someSamsung.ip]/var/ppp/chap-secrets  
  
http://[someSamsung.ip]/bin/sh  
  
Any remote user may request any file present  
in the router/modem OS file system.  
Files can be fetched unauthenticated via a  
GET request in a browser.  
  
  
Item 2  
=====  
Default user login / passwords exist in both  
httpd ( http://[host]/cgi-bin/adsl.cgi) and telnet ports  
  
root/root  
admin/admin  
user/user  
  
  
Item 3  
======  
By telneting to the device and loging in as  
root/root, remote users my access the filesystem.  
The modem provides 256mb of ram for OS and  
file system operations. In this implimentation  
there is aprox 120mb free file system space  
which allows for the posibility for remote  
attackers to use the file system for malicious  
communication and file storage. This allows  
many scenarios such as a storing worm and/or  
viral code.  
  
#echo "some bad data" >file  
  
  
  
SOLUTION:  
=========  
none to date  
  
Samsung has been contacted  
No patch released  
  
  
  
Credits  
=======  
This vulnerability was discovered and researched by   
Donnie Werner of exploitlabs  
  
Donnie Werner  
  
mail: [email protected]  
--   
web: http://exploitlabs.com  
web: http://zone-h.org  
  
`