RE: alcatel PBX testing

From: Luis Lopez Sanchez (luis.lopez@atosorigin.com)
Date: Mon Jun 05 2006 - 05:39:07 EDT

Hi All,

In the recent versions the OS from Alcatel for 4400 is Linux based instead of Chorus/MiX OS. I don't think that this pen-test work with the new OS version ... Somebody could confirm this issue?

Regards,

"These are the thoughts and opinions of Luis Lopez, and does not represent Atos Origin company policy."

"Estos son los pensamientos y las opiniones de Luis Lopez, y no representan la política de la compañía de Atos Origin."

Saludos, 

--
Luislo
-----Original Message-----
From: Deniz Cevik [mailto:Deniz.Cevik@intellect.com.tr] 
Sent: jueves, 01 de junio de 2006 9:07
To: jason_jones98@hotmail.com; pen-test@securityfocus.com
Subject: RE: alcatel PBX testing
< Playing around with ALCATEL 4400 PBX > 
SYSTEM AFFECTED
================
Alcatel 4400 Pbx 
PROBLEM
======== 
A little audit of an Alcatel 4400 pbx leads us to some interesting bugs
: 
default passwords, many root accesses, DoS, halt. If you have a well configured one, some of them won't work. 
The one we tested is under Alcatel support control, they should have the
same "don't change anyting" policy for most of their customers - you should have the same bugs on yours. 
Note that our checks were done in a production environement, without exploiting bugs. 
0- Environnement
- - - - - - - - - 
ALcatel 4400 runs real-time Chorus OS, now under SUN control. 
More information can be found at http://www.sun.com/software/chorusos/ 
1- find the IP address of Alcatel 4400
- - - - - - - - - - - - - - - - - - - - 
Alcatel 4400 can be managed through serial port, or through LAN. 
In case of LAN, 4400 is listening on port 2533. 
After some sniffing, we show that every TCP packets contains in data field the size of transmitted datas. 
For example, to initiate a connexion, first data packet (after SYN, SYN-ACK,
ACK) contains \x00\x01\x43
\x43 is the data, \x00\x01 is the size - 1 char. 
Every other data in first data packet will lead to a FIN-ACK reply, closing the connexion. 
To check for a running 4400 on your LAN, just scan your network for port 2533 open, then send \x00\x01\x43 and wait for \x00\x01 
Use nmap to scan for port 2533 open, and this little script to send \x00\x01\x43 and wait for \x00\x01 : 
8<------------ alcatel.pl 
#!/usr/bin/perl 
# Checks for Alcatel 4400, sending TCP data on port 2533 # looking for specific reply # irib@securitybugware.org 
use Getopt::Std;
use IO::Socket; 
print("ALCATEL 4400 checker.\n"); 
getopts('s:', \%args);
if(!defined($args{s})){&usage;} 
$data = "\x43";
$size = "\x00\x01"; 
$serv = $args{s};
$port = 2533;
$buf = $size . $data; 
if($socket = new IO::Socket::INET(PeerAddr => "$serv:$port", Timeout => 1)){ 
print $socket "$buf";
read($socket,$chunk,2); 
if($chunk & "\x00\x01"){ 
print "$serv may be an Alcatel 4400\n"; 
}else{ print "$serv doesn't look like an Alcatel 4400\n"; 
} 
}else{ print "$serv is not an Alcatel 4400\n"; 
} 
sub usage {die("\nUsage: $0 -s <server>\n\n");} 
8<------------ 
2- Connect to Alcatel 4400 
- - - - - - - - - - - - - - 
Here is the default /etc/password file 
root:.Zn2PprVBQWI2:0:1:0000-Admin(0000):/:/chbin/sh 
halt:xY3mcbaFNyp0k:0:1:0000-Admin(0000):/usr/halt:/chbin/sh 
daemon:*:1:1:0000-Admin(0000):/: 
bin:*:2:2:0000-Admin(0000):/bin: 
sys:*:3:3:0000-Admin(0000):/usr: 
adm:*:4:4:0000-Admin(0000):/usr/adm: 
sync::67:1:0000-Admin(0000):/:/bin/sync 
install:yYV3uyxkFX8bc:101:1:Initial Login:/usr/install:/chbin/sh 
kermit:zYBmh/woCrN6E:102:1:kermit:/usr/kermit:/chbin/sh 
swinst::0:1:installation-account:/usr/swinst:/chbin/sh 
mtch:aUi5.tLxc7zRc:2010:20:mtch:/DHS3bin/mtch:/chbin/ksh 
mtcl:bUAp.LcUa4SIo:2011:20:mtcl:/DHS3bin/mtcl:/chbin/ksh 
dhs3pms:cUlGakVr1CAkE:2013:20:dhs3pms:/DHS3bin/dhs3pms:/chbin/sh 
adfexc:dUHpLtTswZu/Q:2015:20:adfexc:/DHS3bin/adfexc:/chbin/sh 
pcmao::2012:20:pcmao:/DHS3bin/mao:/chbin/sh 
nmcmao:gUvHzOAi7wETE:2016:20:nmcmao:/DHS3bin/nmcmao:/chbin/sh 
client:hUlAPfM7t4Nbo:2017:20:client:/DHS3bin/client:/chbin/sh 
dhs3mt:iULmen4O5ZC9.:2018:20:dhs3mt:/DHS3bin/dhs3mt:/chbin/sh 
at4400:jU5vsXHRG1lQc:2019:1:at4400:/DHS3bin/at4400:/chbin/sh 
mntple:kUKXnTJ4.VGrI:2000:1:Sun-network-installation:/DHS3bin/mntple:/ch
bin/sh 
And some decrypted passwords 
llatsni (install) 
tlah (halt) 
dhs3pms (dhs3pms) 
adfexc (adfexc) 
client (client) 
kermit (kermit) 
dhs3mt (dhs3mt) 
at4400 (at4400) 
mtch (mtch) 
mtcl (mtcl) 
letacla (root) 
Warning : most accounts have a .profile, executing particular commands 
so don't log in without knowing what you are doing. 
- ~halt/.profile shuts down 4400, 
- ~swinst/.profile launch utility to install 4400 from scratch 
etc... 
mtcl doesn't run anything dangerous, so you can use this one if you need
to telnet the 
box (it's the one given by Alcatel suppport if you need local
management) 
User adfexc is used by management client to retrieve version from server
using FTP, it should have always the same password, just be careful
because 
it executes some stuff in .profile... 
3- How to be root, when root password has been changed ? 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Fortunately, FTP is open : 
nmap returns following 
Port State Service 
21/tcp open ftp 
23/tcp open telnet 
513/tcp open login 
514/tcp open shell 
2533/tcp open unknown 
2535/tcp open unknown 
2536/tcp open unknown 
2539/tcp open unknown 
2540/tcp open unknown 
2554/tcp open unknown 
2555/tcp open unknown 
TCP Sequence Prediction: Class=64K rule 
Difficulty=1 (Trivial joke) 
to log in as root, just ftp as halt user, rename .profile, and telnet 
the box... your UID is... O ! 
4- Halt the Alcatel 4400 
- - - - - - - - - - - - - 
You don't need to log in with halt user, nor to log in as root. 
Just log in, and execute /chetc/shutdown... 
(1)a4400a> ls -l /chetc/shutdown 
-r-sr-sr-x 1 root other 6120 Jul 6 1998 /chetc/shutdown 
All "other" group member are allowed to shutdown the 4400 (see the
setuid bit) 
"other" group member are : install kermit swinst mntple at4400 root halt
sync 
5- Bad file permissions 
- - - - - - - - - - - - - 
Lot of directories containing sensible data are world wide writable, or
group 
writable. 
There are two groups easily usable : tel (20) and other (1). 
other members : install kermit swinst mntple at4400 root halt sync 
tel members : mtcl, mtch, client, dhs3pms adfexc pcmao dhs3mt 
Here are some example of writable directories or suid executables... 
The easiest way for tel members to access root : 
> ls -l /chbin/pre_login 
42 -rwsrwxr-x 1 root tel 20096 Oct 9 1998 pre_login 
Any tel group members can overwrite /chbin/pre_login, and 
execute commands as root... 
Overwritable configuration files 
/chetc/menus world wide writable 
=> netinstall.def & netinstall.bat overwritable 
/chetc/msg world wide writable 
=> GEA_NET overwritable 
/chetc/lck world wide writable 
/etc/bootptab ==> world wide writable (config bootp server) 
/etc/mnttab ==> world wide writable 
Misc world wide writable files & directories 
/etc/misc world wide writable 
/fs world wide writable 
/mnt world wide writable 
/usr2/ world wide writable 
/usr/ctsrv world wide writable 
/usr/preserve world wide writable 
/usr/tmp world wide writable 
/usr2/soft_install world wide writable 
/usr3/mao contains database files (with phone configurations), 
all are at least group writable, allowing bad boys to scramble 
phones... 
All users .profile are overwritable 
/usr2/ adfexc afe dhs3mt dhs3pms mao nmcmao ==> group tel writable 
/usr2/ PKG at4400 client mntple mtch mtcl ==> group other writable 
As userdirs are writable to other group members, .profile are 
overwritable by other group members. 
/usr4/account looks like accounting file directory, all are 
world wide overwritable... 
5- Other bugs & exploits ? 
- - - - - - - - - - - - - - 
Here are not tested things, possibly buggy and exploitable... 
- FTP glob() vulnerability has not been tested 
- various rsh and login vulnerabilities have to be tested 
- Management client should be tested against /DHS3bin/descript/deliv_id 
and /DHS3bin/descript/patch_id unusual format (files retrieved through 
ftp when connecting with management client) 
- Explore network communication between management client and server,
sending 
periodically "\x00\x08TEST_REQ" (note that \x00\x08 is the size of
string 
"TEST_REQ"), waiting for "TEST_RSP" 
- How to escape from .profile executed when login as swinst (without
passwd, 
UID=0) 
SOLUTIONS 
========== 
Put your Alcatel 4400 behind a firewall, and allow only connexion
between 
your pbxs (if you have more than one, linked) and from your management
station.
-----Original Message-----
From: jason_jones98@hotmail.com [mailto:jason_jones98@hotmail.com] 
Sent: Wednesday, May 31, 2006 6:20 PM
To: pen-test@securityfocus.com
Subject: Re: alcatel PBX testing
The default passwords for the 4400
(http://www.phenoelit.de/dpl/dpl.html) are still the same for the 4760.
------------------------------------------------------------------------
------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's 
Choice Award from eWeek. As attacks through web applications continue to
rise, 
you need to proactively protect your applications from hackers. Cenzic
has the 
most comprehensive solutions to meet your application security
penetration 
testing and vulnerability management needs. You have an option to go
with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service
can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm
your 
results from other product. Contact us at request@cenzic.com for
details.
------------------------------------------------------------------------
------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
------------------------------------------------------------------
This e-mail and the documents attached are confidential and intended solely
for the addressee; it may also be privileged. If you receive this e-mail
in error, please notify the sender immediately and destroy it.
As its integrity cannot be secured on the Internet, the Atos Origin group
liability cannot be triggered for the message content. Although the
sender endeavours to maintain a computer virus-free network, the sender does
not warrant that this transmission is virus-free and will not be liable for
any damages resulting from any virus transmitted.
Este mensaje y los ficheros adjuntos pueden contener informacion
confidencial destinada solamente a la(s) persona(s) mencionadas
anteriormente. Pueden estar protegidos por secreto profesional Si usted
recibe este correo electronico por error, gracias de informar inmediatamente
al remitente y destruir el mensaje.
Al no estar asegurada la integridad de este mensaje sobre la red, Atos
Origin no se hace responsable por su contenido. Su contenido no constituye
ningun compromiso para el grupo Atos Origin, salvo ratificacion escrita por
ambas partes.
Aunque se esfuerza al maximo por mantener su red libre de virus, el emisor
no puede garantizar nada al respecto y no sera responsable de cualesquiera
danos que puedan resultar de una transmision de virus
------------------------------------------------------------------
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:02 EDT