[20426] in bugtraq
Re: multiple vulnerabilities in Alcatel Speed Touch DSL modems
daemon@ATHENA.MIT.EDU (Matthew Schalit)
Wed Apr 25 01:50:12 2001
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
Message-ID: <3AE4B223.F0F7BF21@pacbell.net>
Date: Mon, 23 Apr 2001 15:52:19 -0700
Reply-To: Matthew Schalit <mschalit@PACBELL.NET>
From: Matthew Schalit <mschalit@PACBELL.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
"Michael A. Nunes" wrote:
>
> Dear Peter & Others,
>
> I actually contacted Alcatel specifially about the A1000, and
> there seems to be a few different models of the same modem. My
> particular model number (found on the back of the modem) ends in
> "AB" and Alcatel told me that this means that the modem cannot
> be connected to except by a "Gig'E'Box," whatever that may be.
> -- pcmike
Hi folks,
Here's some model number data if your interested,
from the Alcatel 1000 ADSL High Speed Modem User's
Guide, Edition 01, p.5, Table B:
Service Type Model #
----------------------------------------------------
ATM-25 Service (ATMF) 3EC 18200 AB
Bridged Service (RFC 1483) 3EC 18202 AB
Bridged Service (RFC 1483)
Point to Point Service (PPP) 3EC 18202 BB
Bridged Service (RFC 1483) with Filtering
Point to Point Service (PPP) 3EC 18202 DB
-------------------------------------------------------
I've tested an Alcatel 1000 external which has a
model # 3EC 18202AD AB and that's not a typo.
It's the standard one Pacbell installed when they first
rolled out ADSL with static IP's in the San Francisco
Bay Area.
I can connect to it with telnet, ftp, tftp, and http as
described in the advisory.
Telnet behaves a bit strangely. Telnetd always skips the
username part, and issues the EXPERT challenge, then waits
for the EXPERT response. So telnet only works in expert mode.
Ftp downloads/uploads only work in EXPERT mode.
Ftp can browse in normal mode with an empty username and password,
thus enabling downloads/uploads without a password using tftp
(once the directory structure has been ascertained).
It's odd that my model # has the 'AD' in it. I can only figure
that it is not significant when referenced in comparison to the
Service Type table, above. This modem is assigned only one IP.
Connection help:
----------------
Set up one computer as your test box with a nic and connect it
directly to the Alcatel 1000's 10BaseT port using a straight through
cable. The nic is mdi and the Alcatel 1000 is mdix, so that's why you
use a straight through cable.
Set up the computer's nic with
ip addr : 10.0.0.140
mask : 255.255.255.0
netw : 10.0.0.0
bcast : 10.0.0.255
default gw : unset
You're computer should have a route to the 10.0.0.0 network via eth0,
the external nic, so you should be able to ping 10.0.0.138 and get a
response without a default route. If that works, continue....
Attempt to ftp 10.0.0.138.
Results? Exact error message?
I had success with this method or setting the whole computer on
a class A /8 network, rather than the class C /24 example I just showed.
Regards,
Matt
