SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Device (VoIP/Phone/FAX)  >   Alcatel PBX Vendors:   Alcatel
Alcatel 4000 PBX Phone Switch Default Configuration Lets Remote Users Access the Switch and Gain Root Access
SecurityTracker Alert ID:  1003599
SecurityTracker URL:  http://securitytracker.com/id/1003599
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 19 2002
Impact:   Modification of system information, Root access via local system, User access via network
Exploit Included:  Yes  
Version(s): 4400
Description:   Several default configuration vulnerabilities were reported in the Alcatel 4400 PBX. A remote user may be able to acces the system and gain root access.

Some configuration vulnerabilities were reported in the Alcatel 4440 PBX switch.

It is reported that the system comes with several accounts with common default passwords. If the root password has been changed from the default but other accounts have not been changed, a remote user can access the system via FTP with one of the non-root accounts, rename their '.profile' file, and then telnet to the system to obtain a UID of 0 (i.e., root access).

It is reported that a remote user who can log in with any user account name that is part of the 'other' group (e.g., install, kermit, swinst, mntple, at4400, root, halt, sync) can perform a shutdown of the PBX by executing /chetc/shutdown.

It is reported that several directories that contain sensitive data are configured with world writable or group writable permissions, allowing local users to modify critical data.

For example, a local user that is a member of the 'tel' group can overwrite the /chbin/pre_login login file (which is configured with set user id (suid) root privileges) and execute commands as root.

Various other configuration and data files can be overwritten, modified, or deleted.
Impact:   A remote user can gain access to the system using default passwords that may not have been changed. A local user can modify files on the system to obtain root privileges.
Solution:   No solution was available at the time of this entry.

The author of the report recommends placing your Alcatel 4400 behind a firewall and only permitting communications from your management station to access the system.
Vendor URL:  www.alcatel.com/ (Links to External Site)
Cause:   Configuration error
Underlying OS:  

Message History:   None.

 Source Message Contents
Date:  Tue, 19 Feb 2002 18:03:09 +0100
Subject:  Security BugWare : Alcatel 4400 PBX hack




               w w w . s e c u r i t y b u g w a r e . o r g
               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


                            > A D V I S O R Y <


                  < Playing around with ALCATEL 4400 PBX >


SYSTEM AFFECTED 
================
Alcatel 4400 Pbx


PROBLEM
========

A little audit of an Alcatel 4400 pbx leads us to some interesting bugs :
default passwords, many root accesses, DoS, halt. If you have a well configured
one, some of them won't work. 
The one we tested is under Alcatel support control, they should have the 
same "don't change anyting" policy for most of their customers - you should
have the same bugs on yours.
Note that our checks were done in a production environement, without 
exploiting bugs.


0- Environnement
- - - - - - - - -

ALcatel 4400 runs real-time Chorus OS, now under SUN control.
More information can be found at http://www.sun.com/software/chorusos/



1- find the IP address of Alcatel 4400
- - - - - - - - - - - - - - - - - - - - 

Alcatel 4400 can be managed through serial port, or through LAN.
In case of LAN, 4400 is listening on port 2533.

After some sniffing, we show that every TCP packets contains in data field 
the size of transmitted datas.
For example, to initiate a connexion, first data packet (after SYN, SYN-ACK, 
ACK) contains \x00\x01\x43
\x43 is the data, \x00\x01 is the size - 1 char.

Every other data in first data packet will lead to a FIN-ACK reply, 
closing the connexion.

To check for a running 4400 on your LAN, just scan your network for
port 2533 open, then send \x00\x01\x43 and wait for \x00\x01

Use nmap to scan for port 2533 open, and this little script 
to send \x00\x01\x43 and wait for \x00\x01 :

8<------------ alcatel.pl
 
#!/usr/bin/perl

# Checks for Alcatel 4400, sending TCP data on port 2533
# looking for specific reply
# irib@securitybugware.org

use Getopt::Std;
use IO::Socket;
         
print("ALCATEL 4400 checker.\n");
        
getopts('s:', \%args);
if(!defined($args{s})){&usage;}

	$data = "\x43";
	$size = "\x00\x01"; 
	
        $serv = $args{s};
        $port = 2533;
        $buf = $size . $data;
        
if($socket = new IO::Socket::INET(PeerAddr => "$serv:$port", Timeout => 1)){

	print $socket "$buf";
	read($socket,$chunk,2);


	if($chunk & "\x00\x01"){
		print "$serv may be an Alcatel 4400\n";
	}else{
		print "$serv doesn't look like an Alcatel 4400\n";
	}
}else{
	print "$serv is not an Alcatel 4400\n";
}

sub usage {die("\nUsage: $0 -s <server>\n\n");}

8<------------


2- Connect to Alcatel 4400
- - - - - - - - - - - - - -

Here is the default /etc/password file

root:.Zn2PprVBQWI2:0:1:0000-Admin(0000):/:/chbin/sh
halt:xY3mcbaFNyp0k:0:1:0000-Admin(0000):/usr/halt:/chbin/sh
daemon:*:1:1:0000-Admin(0000):/:
bin:*:2:2:0000-Admin(0000):/bin:
sys:*:3:3:0000-Admin(0000):/usr:
adm:*:4:4:0000-Admin(0000):/usr/adm:
sync::67:1:0000-Admin(0000):/:/bin/sync
install:yYV3uyxkFX8bc:101:1:Initial Login:/usr/install:/chbin/sh
kermit:zYBmh/woCrN6E:102:1:kermit:/usr/kermit:/chbin/sh
swinst::0:1:installation-account:/usr/swinst:/chbin/sh
mtch:aUi5.tLxc7zRc:2010:20:mtch:/DHS3bin/mtch:/chbin/ksh
mtcl:bUAp.LcUa4SIo:2011:20:mtcl:/DHS3bin/mtcl:/chbin/ksh
dhs3pms:cUlGakVr1CAkE:2013:20:dhs3pms:/DHS3bin/dhs3pms:/chbin/sh
adfexc:dUHpLtTswZu/Q:2015:20:adfexc:/DHS3bin/adfexc:/chbin/sh
pcmao::2012:20:pcmao:/DHS3bin/mao:/chbin/sh
nmcmao:gUvHzOAi7wETE:2016:20:nmcmao:/DHS3bin/nmcmao:/chbin/sh
client:hUlAPfM7t4Nbo:2017:20:client:/DHS3bin/client:/chbin/sh
dhs3mt:iULmen4O5ZC9.:2018:20:dhs3mt:/DHS3bin/dhs3mt:/chbin/sh
at4400:jU5vsXHRG1lQc:2019:1:at4400:/DHS3bin/at4400:/chbin/sh
mntple:kUKXnTJ4.VGrI:2000:1:Sun-network-installation:/DHS3bin/mntple:/chbin/sh


And some decrypted passwords 

llatsni          (install)
tlah             (halt)
dhs3pms          (dhs3pms)
adfexc           (adfexc)
client           (client)
kermit           (kermit)
dhs3mt           (dhs3mt)
at4400           (at4400)
mtch             (mtch)
mtcl             (mtcl)
letacla          (root)

Warning : most accounts have a .profile, executing particular commands
so don't log in without knowing what you are doing.

- ~halt/.profile shuts down 4400, 
- ~swinst/.profile launch utility to install 4400 from scratch
etc... 
mtcl doesn't run anything dangerous, so you can use this one if you need to telnet the
box (it's the one given by Alcatel suppport if you need local management)

User adfexc is used by management client to retrieve version from server
using FTP, it should have always the same password, just be careful because
it executes some stuff in .profile...


3- How to be root, when root password has been changed ?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Fortunately, FTP is open : 

nmap returns following 

Port       State       Service
21/tcp     open        ftp
23/tcp     open        telnet
513/tcp    open        login
514/tcp    open        shell
2533/tcp   open        unknown
2535/tcp   open        unknown
2536/tcp   open        unknown
2539/tcp   open        unknown
2540/tcp   open        unknown
2554/tcp   open        unknown
2555/tcp   open        unknown

TCP Sequence Prediction: Class=64K rule
                         Difficulty=1 (Trivial joke)


to log in as root, just ftp as halt user, rename .profile, and telnet 
the box... your UID is... O !



4- Halt the Alcatel 4400
- - - - - - - - - - - - - 

You don't need to log in with halt user, nor to log in as root.
Just log in, and execute /chetc/shutdown...

(1)a4400a> ls -l /chetc/shutdown
-r-sr-sr-x   1 root     other       6120 Jul  6  1998 /chetc/shutdown

All "other" group member are allowed to shutdown the 4400 (see the setuid bit)
"other" group member are : install kermit swinst mntple at4400 root halt sync


5- Bad file permissions
- - - - - - - - - - - - - 

Lot of directories containing sensible data are world wide writable, or group
writable. 
There are two groups easily usable : tel (20) and other (1).

other members : install kermit swinst mntple at4400 root halt sync
tel members : mtcl, mtch, client, dhs3pms adfexc pcmao dhs3mt

Here are some example of writable directories or suid executables... 

The easiest way for tel members to access root : 
> ls -l /chbin/pre_login
42 -rwsrwxr-x   1 root     tel        20096 Oct  9  1998 pre_login
Any tel group members can overwrite /chbin/pre_login, and
execute commands as root...

Overwritable configuration files
/chetc/menus world wide writable 
		=> netinstall.def & netinstall.bat  overwritable 
/chetc/msg world wide writable
		=> GEA_NET overwritable
/chetc/lck world wide writable
/etc/bootptab ==> world wide writable (config bootp server)
/etc/mnttab ==> world wide writable


Misc world wide writable files & directories

/etc/misc world wide writable
/fs world wide writable
/mnt world wide writable
/usr2/ world wide writable
/usr/ctsrv world wide writable
/usr/preserve world wide writable
/usr/tmp world wide writable
/usr2/soft_install world wide writable

/usr3/mao contains database files (with phone configurations), 
all are at least group writable, allowing bad boys to scramble
phones...


All users .profile are overwritable

/usr2/ adfexc afe dhs3mt dhs3pms mao nmcmao  ==> group tel writable
/usr2/ PKG at4400 client mntple mtch mtcl ==> group other writable

As userdirs are writable to other group members, .profile are 
overwritable by other group members.


/usr4/account looks like accounting file directory, all are 
world wide overwritable...




5- Other bugs & exploits ?
- - - - - - - - - - - - - -

Here are not tested things, possibly buggy and exploitable... 

- FTP glob() vulnerability has not been tested
- various rsh and login vulnerabilities have to be tested
- Management client should be tested against /DHS3bin/descript/deliv_id 
  and /DHS3bin/descript/patch_id unusual format (files retrieved through
  ftp when connecting with management client)
- Explore network communication between management client and server, sending
  periodically "\x00\x08TEST_REQ" (note that \x00\x08 is the size of string 
  "TEST_REQ"), waiting for "TEST_RSP"
- How to escape from .profile executed when login as swinst (without passwd,
  UID=0)
   

SOLUTIONS 
==========

Put your Alcatel 4400 behind a firewall, and allow only connexion between
your pbxs (if you have more than one, linked) and from your management station.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC