[plug] [OT] DSLAM and ADSL web interface

Craig Ringer craig at postnewspapers.com.au
Mon Aug 9 11:11:52 WST 2004 

Ben Jensz wrote:
> Only if the ADSL modem/router's web interface actually listened on the 
> external interface, which would mean people could get to it from the 
> wider internet anyway.  On my D-Link DSL-500, it doesn't listen on the 
> external interface, only on the ethernet interface unless you tell it 
> otherwise.

Yep, that matches my experience. I expect that anybody dumb enough to 
ship a DSL modem quite /that/ astoundingly broken might actually feel 
consequences - eventually. After all, hardly anybody changes their 
passwords on those things, and a wide-open admin interface could be used 
to set up some port forwards to an internal host (it's not going to be 
hard to guess the IP in most cases), whereupon some real CIFS fun could 
be had by the attacker.

On the other hand, the user would have to fail to change their password. 
Most devices don't even tell you that you should, however, letalone 
force you to do so on first login. After all, tech support teams must 
LOVE "umm... yeah, the password. Do you know what it is?".

My concern with the attack-from-the-DSLAM is more about people who 
connect a DSL modem in bridged mode directly to their switch. Even so, 
the chances are that if someone's attacking from the DSLAM you have 
bigger things to worry about - like the fact that almost none of your 
internet communications are encrypted or integrity checked.

Regarding attacks on DSL modem web interfaces over the Internet, I can 
imagine it being possible from the next hop _if_ the DSL modem doesn't 
check the source address on packets incoming on interfaces. If it'll 
accept a packet from 192.168.x.x coming down the ATM interface and if it 
does access control by source IP not incoming interface, then you could 
possibly send packets to internal services. This wouldn't help you with 
HTTP, of course, as SYN+ACK response to the initial SYN would be sent to 
some (probably nonexistant) internal host using the LAN interface. It 
/might/ work if the device ALSO had read/write SNMP enabled by default. 
The chances of all those 3 being true, AND someone having access to the 
DSLAM or first hop router, seem rather slim to me. Then again, I could 
be missing some important points here rather easily.

--
Craig Ringer

More information about the plug mailing list