Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Thomson TWG870U / TWG870UIR (UPC) mini DoS?

  • 03-01-2012 11:43am
    #1
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭


    DoS part is at the end for those not too interested in this other stuff.

    Note this only has been confirmed by me on 01.30. (TWG870U-B9.01.30-101026-F-1C1.bin), there is a newer 01.36 out (TWG870U-BA.01.36-110429-F-1C1.bin), but there is no facility to upgrade this yourself and you cannot force the router to perform an upgrade check, so it seems random when people are getting updated, also this upgrade is out months so its possible this is also valid for 01.36...

    My routers default gateway is 192.168.0.1.
    23/tcp closed telnet
    80/tcp open http
    1900/tcp closed upnp
    8080/tcp closed http-proxy
    Telnet port 23 is reported as closed on 192.168.0.1, i.e its still listed by nmap, but closed! rather than non existent!
    http://nmap.org/book/man-port-scanning-basics.html
    A closed port is accessible (it receives and responds to Nmap probe packets), but there is no application listening on it. They can be helpful in showing that a host is up on an IP address (host discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it may be worth scanning later in case some open up. Administrators may want to consider blocking such ports with a firewall. Then they would appear in the filtered state, discussed next.

    the upnp port would be interesting if there was something listening on it. The old smb hack might still work then! But looks like "Content Sharing" is disabled for this model, and is unknown how to enable. http://forums.modem-help.co.uk/viewtopic.php?t=7454 http://forums.modem-help.co.uk/viewtopic.php?t=7454&start=18

    There is also another ip listening on 192.168.100.1 Port 23, 80, 9100 (not jetty!) open here.
    23/tcp open telnet
    80/tcp open http
    9100/tcp open jetty

    According to some generic TWG870 manual online, the 192.168.100.1 is for "Cable Modem" mode, i.e you would need then attach your own gateway/router, and 192.168.0.1 is for "Residential Gateway" (default).

    Port 23 is telnet, but the login is unknown. It doesn't work with the credentials I use for the web interface. Doesn't work with any default thomson passwords either. Further-more the telnet daemon blacklists your LAN IP after about 9 wrong attempts. I dunno if rebooting the router clears this.
    Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008

    WARNING: Access allowed by authorized users only.

    login:
    password:

    The IP seems to block all communication for you altogether if a-lot a noise comes from your connection to 192.168.100.1 e.g. scanning or something. Might be deliberate, but doesn't seem so last indefinitely like the blacklisting above.

    port 80 is same web interface as 192.168.0.1, credentials are the same also.

    port 9100 only listens, doesn't send back anything but can accept input which can cause a crash/reboot which may be regarded as a DoS :-)

    # telnet 192.168.100.1 9100
    then enter some junk and hit enter... or

    # echo ":)" | nc 192.168.100.1 9100 ... router will reboot

    This does not require any credentials to be known and anyone on the network can do this. Only way to stop this really is to have extra layer i.e firewall/hardware between the router and the connecting participant.

    This seems like a crash, however its possible it might be some protection mechanism where sending incorrect input data causes this reboot on purpose, but sending 1 byte can cause this, so if this is the case, there is only 255 bytes to check if this is true, but seems doubtful and I don't have the patience!


Comments

Advertisement