Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Phreaking General Information :: expl5097.htm

Root an Alcatel PBX! Alcatel 4400 poor configuration leads to remote root access



13th Feb 2002 [SBWID-5097]
COMMAND

	Alcatel 4400 poor configuration leads to remote root access

SYSTEMS AFFECTED

	Tested : Alcatel 4400 ChorusOS

PROBLEM

	Irib of the security bugware team [http://www.securitybugware.org]  says
	:
	

	A little audit of an Alcatel 4400 pbx leads us to some interesting  bugs
	: default passwords, many root accesses, DoS, halt. If you have  a  well
	configured one, some of them won\'t work. The one  we  tested  is  under
	Alcatel support control, they  should  have  the  same  \"don\'t  change
	anyting\" policy for most of their customers - you should have the  same
	bugs  on  yours.  Note  that  our  checks  were  done  in  a  production
	environement, without exploiting bugs.
	

	

	0- Environnement

	- - - - - - - - -

	

	ALcatel 4400 runs real-time Chorus  OS,  now  under  SUN  control.  More
	information can be found at http://www.sun.com/software/chorusos/
	

	

	

	1- find the IP address of Alcatel 4400

	- - - - - - - - - - - - - - - - - - - -

	

	Alcatel 4400 can be managed through serial  port,  or  through  LAN.  In
	case of LAN, 4400 is listening on port 2533.
	

	After some sniffing, we show that every TCP  packets  contains  in  data
	field the  size  of  transmitted  datas.  For  example,  to  initiate  a
	connexion,  first  data  packet  (after  SYN,  SYN-ACK,  ACK)   contains
	\\x00\\x01\\x43 \\x43 is the data, \\x00\\x01 is the size - 1 char.
	

	Every other data in first data packet will  lead  to  a  FIN-ACK  reply,
	closing the connexion.
	

	To check for a running 4400 on your LAN,  just  scan  your  network  for
	port 2533 open, then send \\x00\\x01\\x43 and wait for \\x00\\x01
	

	Use nmap to scan for port 2533 open, and  this  little  script  to  send
	\\x00\\x01\\x43 and wait for \\x00\\x01 :
	

	8<------------ alcatel.pl

	

	#!/usr/bin/perl

	

	# Checks for Alcatel 4400, sending TCP data on port 2533

	# looking for specific reply

	# irib@securitybugware.org

	

	use Getopt::Std;

	use IO::Socket;

	

	print(\"ALCATEL 4400 checker.\\n\");

	

	getopts(\'s:\', \\%args);

	if(!defined($args{s})){&usage;}

	

		$data = \"\\x43\";

		$size = \"\\x00\\x01\";

	

	        $serv = $args{s};

	        $port = 2533;

	        $buf = $size . $data;

	

	if($socket = new IO::Socket::INET(PeerAddr => \"$serv:$port\", Timeout => 1)){

	

		print $socket \"$buf\";

		read($socket,$chunk,2);

	

	

		if($chunk & \"\\x00\\x01\"){

			print \"$serv may be an Alcatel 4400\\n\";

		}else{

			print \"$serv doesn\'t look like an Alcatel 4400\\n\";

		}

	}else{

		print \"$serv is not an Alcatel 4400\\n\";

	}

	

	sub usage {die(\"\\nUsage: $0 -s <server>\\n\\n\");}

	

	8<------------

	

	

	2- Connect to Alcatel 4400

	- - - - - - - - - - - - - -

	

	Here is the default /etc/password file
	

	root:.Zn2PprVBQWI2:0:1:0000-Admin(0000):/:/chbin/sh

	halt:xY3mcbaFNyp0k:0:1:0000-Admin(0000):/usr/halt:/chbin/sh

	daemon:*:1:1:0000-Admin(0000):/:

	bin:*:2:2:0000-Admin(0000):/bin:

	sys:*:3:3:0000-Admin(0000):/usr:

	adm:*:4:4:0000-Admin(0000):/usr/adm:

	sync::67:1:0000-Admin(0000):/:/bin/sync

	install:yYV3uyxkFX8bc:101:1:Initial Login:/usr/install:/chbin/sh

	kermit:zYBmh/woCrN6E:102:1:kermit:/usr/kermit:/chbin/sh

	swinst::0:1:installation-account:/usr/swinst:/chbin/sh

	mtch:aUi5.tLxc7zRc:2010:20:mtch:/DHS3bin/mtch:/chbin/ksh

	mtcl:bUAp.LcUa4SIo:2011:20:mtcl:/DHS3bin/mtcl:/chbin/ksh

	dhs3pms:cUlGakVr1CAkE:2013:20:dhs3pms:/DHS3bin/dhs3pms:/chbin/sh

	adfexc:dUHpLtTswZu/Q:2015:20:adfexc:/DHS3bin/adfexc:/chbin/sh

	pcmao::2012:20:pcmao:/DHS3bin/mao:/chbin/sh

	nmcmao:gUvHzOAi7wETE:2016:20:nmcmao:/DHS3bin/nmcmao:/chbin/sh

	client:hUlAPfM7t4Nbo:2017:20:client:/DHS3bin/client:/chbin/sh

	dhs3mt:iULmen4O5ZC9.:2018:20:dhs3mt:/DHS3bin/dhs3mt:/chbin/sh

	at4400:jU5vsXHRG1lQc:2019:1:at4400:/DHS3bin/at4400:/chbin/sh

	mntple:kUKXnTJ4.VGrI:2000:1:Sun-network-installation:/DHS3bin/mntple:/chbin/sh

	

	

	And some decrypted passwords
	

	llatsni          (install)

	tlah             (halt)

	dhs3pms          (dhs3pms)

	adfexc           (adfexc)

	client           (client)

	kermit           (kermit)

	dhs3mt           (dhs3mt)

	at4400           (at4400)

	mtch             (mtch)

	mtcl             (mtcl)

	letacla          (root)

	

	Warning : most accounts have a .profile, executing  particular  commands
	so don\'t log in without knowing what you are doing.
	

	- ~halt/.profile shuts down 4400,

	- ~swinst/.profile launch utility to install 4400 from scratch

	etc...

	

	mtcl doesn\'t run anything dangerous, so you can use  this  one  if  you
	need to telnet the box (it\'s the one given by Alcatel suppport  if  you
	need local management)
	

	User adfexc is used  by  management  client  to  retrieve  version  from
	server using FTP, it should have  always  the  same  password,  just  be
	careful because it executes some stuff in .profile...
	

	

	3- How to be root, when root password has been changed ?

	- - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	

	Fortunately, FTP is open :
	

	nmap returns following
	

	Port       State       Service

	21/tcp     open        ftp

	23/tcp     open        telnet

	513/tcp    open        login

	514/tcp    open        shell

	2533/tcp   open        unknown

	2535/tcp   open        unknown

	2536/tcp   open        unknown

	2539/tcp   open        unknown

	2540/tcp   open        unknown

	2554/tcp   open        unknown

	2555/tcp   open        unknown

	

	TCP Sequence Prediction: Class=64K rule
	                         Difficulty=1 (Trivial joke)

	

	

	to log in as root, just ftp as halt user, rename  .profile,  and  telnet
	the box... your UID is... O !
	

	

	

	4- Halt the Alcatel 4400

	- - - - - - - - - - - - -

	

	You don\'t need to log in with halt user, nor to log in  as  root.  Just
	log in, and execute /chetc/shutdown...
	

	(1)a4400a> ls -l /chetc/shutdown

	-r-sr-sr-x   1 root     other       6120 Jul  6  1998 /chetc/shutdown

	

	All \"other\" group member are allowed to shutdown  the  4400  (see  the
	setuid bit) \"other\" group member are : install  kermit  swinst  mntple
	at4400 root halt sync
	

	

	5- Bad file permissions

	- - - - - - - - - - - - -

	

	Lot of directories containing sensible data are world wide writable,  or
	group writable. There are two groups easily usable : tel (20) and  other
	(1).
	

	other members : install kermit swinst mntple at4400 root halt  sync  tel
	members : mtcl, mtch, client, dhs3pms adfexc pcmao dhs3mt
	

	Here are some example of writable directories or suid executables...
	

	The easiest way for tel members to access root :
	

	> ls -l /chbin/pre_login

	42 -rwsrwxr-x   1 root     tel        20096 Oct  9  1998 pre_login

	

	Any tel  group  members  can  overwrite  /chbin/pre_login,  and  execute
	commands as root...
	

	Overwritable configuration files
	

	/chetc/menus world wide writable

			=> netinstall.def & netinstall.bat  overwritable

	/chetc/msg world wide writable

			=> GEA_NET overwritable

	/chetc/lck world wide writable

	/etc/bootptab ==> world wide writable (config bootp server)

	/etc/mnttab ==> world wide writable

	

	

	Misc world wide writable files & directories
	

	/etc/misc world wide writable

	/fs world wide writable

	/mnt world wide writable

	/usr2/ world wide writable

	/usr/ctsrv world wide writable

	/usr/preserve world wide writable

	/usr/tmp world wide writable

	/usr2/soft_install world wide writable

	

	/usr3/mao contains database files (with phone configurations),  all  are
	at least group writable, allowing bad boys to scramble phones...
	

	

	All users .profile are overwritable
	

	/usr2/ adfexc afe dhs3mt dhs3pms mao nmcmao  ==> group tel writable

	/usr2/ PKG at4400 client mntple mtch mtcl ==> group other writable

	

	As  userdirs  are  writable  to  other  group  members,   .profile   are
	overwritable by other group members.
	

	

	/usr4/account looks like accounting file directory, all are  world  wide
	overwritable...
	

	

	

	

	5- Other bugs & exploits ?

	- - - - - - - - - - - - - -

	

	Here are not tested things, possibly buggy and exploitable...
	

	- FTP glob() vulnerability has not been tested

	- various rsh and login vulnerabilities have to be tested

	- Management client should be tested against /DHS3bin/descript/deliv_id

	  and /DHS3bin/descript/patch_id unusual format (files retrieved through

	  ftp when connecting with management client)

	- Explore network communication between management client and server, sending

	  periodically \"\\x00\\x08TEST_REQ\" (note that \\x00\\x08 is the size of string

	  \"TEST_REQ\"), waiting for \"TEST_RSP\"

	- How to escape from .profile executed when login as swinst (without passwd,

	  UID=0)

	

SOLUTION

	Put your Alcatel 4400  behind  a  firewall,  and  allow  only  connexion
	between your pbxs (if you have more than  one,  linked)  and  from  your
	management station.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH