hxxp://rory.allford.net/2007/03/30/bebox-got-root/

I’ve recently switched to Be There from the cowboys at Pipex, and I have to say I’ve been impressed. Speed-wise, it’s terrific, especially for the price.

This post recounts my first exploration into the mysteries of the descriptively named “BeBox” through which the ADSL service is provided.

Since it arrived on the doorstep for free, I had expected it to be yet another of these mediocre but functional things with some lights and a basic web interface. Despite being adorned with a large pink star and sharing the SpeedTouch brand name with the (notoriously incompatible) “Frog”, it turns out the 780WL is made by Alcatel, and as such is a very different beast. The 4-port wireless router comes equipped with VoIP, QoS, an SPI firewall and routing tables complete with VLANing - it runs a BSD variant with a full CLI as if it were an enterprise-class networking device.

Be naturally hide all this interesting functionality from the end user, and the web based interface looks very run-of-the-mill and irritatingly hand-holding. I only realised there was more lurking under the surface when I found port 21 was open whilst idly Nmap-ing myself from a machine externally. Anticipation overriding any concern about the discovered security holes, I logged in with the provided (default) user account. The resulting access yielded very little functionality over that provided by the web-based interface, most “advanced” commands resulting in policy restriction error messages; nevertheless a remote attacker could certainly wreak some havoc. I needed root access, if only to switch telnet off!

The Speedtouch’s web-based GUI provides the option to backup and restore its configuration to an INI file. Sure enough, poking around in this I found what I was looking for (password hashes removed for obvious reasons):

[ mlpuser.ini ]
add name=Administrator password=_CYP_{removed} role=Administrator hash2={removed} defuser=enabled
add name=tech password=_CYP_{removed} role=TechnicalSupport hash2={removed} defremadmin=enabled
add name=BeTech password=_CYP_{removed} role=TechnicalSupport hash2={removed}
add name=bebox password=_CYP_{removed} role=root hash2={removed}

Well Administrator was me, but I wasn’t liking the look of the other three. Be use the same passwords for every customer hxxp://blogs.securiteam.com/index.php/archives/826, and this was leaving me wide open to attack. Commenting out those lines (in case Be do ever need to remotely login), and adding a user called root with role=root got me the access I required.

This configuration file also had a lot to reveal about services the box was exposing WAN-side:

[ servmgr.ini ]
...
ifadd name=HTTPs group=wan
ifadd name=FTP group=wan
ifadd name=TELNET group=wan
ifadd name=PING_RESPONDER group=wan
...

Certainly telnet and ftp were going right off. Https is for the web-based interface, and despite the “s” would still be exposing a login box a cracker could be run on. Finally I’m not a believer in letting all and sundry ping me (I hope to re-enable it specifically for Be’s server IPs when I get more acquainted with the CLI).

Another annoyance was that the box helpfully redirects all outgoing HTTP requests to an error page whenever the connection is down. Useful for a novice user. Annoying in a similar vein to Verisign’s Sitefinder as it’s not based on transparent proxying (as it should) but spoofing DNS! And even the former can cause problems for things that depend on a TCP timeout rather than a successful connection. (It even gives a HTTP 200 instead of 503 as proxy standards dictate).

This and and the web filtering that powers the “Parental Control” feature that appears locked in the On position is run using “Differentiated Service Delivery (DSD)”. I am not a fan:

[ dnss.ini ]
config domain=local timeout=15 suppress=0 state=enabled trace=disabled syslog=disabled WANDownSpoofing=disabled WDSpoofedIP=10.0.0.201
...

[ dsd.ini ]
...
config state=disabled
...

[ webfilter.ini ]
...
config state=disabled

Once that was all done, using the CLI and my newly-obtained root account, I managed to tweak out my DHCP and QoS settings (removing the bandwidth-throttling rules!). This is just a case of having the right reference material to hand. Unfortunately, despite the humorous “nerdy stuff inside” warning, the CD provided by Be only contains the “End-User” editions of the SpeedTouch manuals - the unabridged version and the CLI reference I’ve included below:

“BeBox” User Manual
“BeBox” CLI Reference

Immediately behind the BeBox I have my own firewall server running iptables, Squid and the usual on Gentoo, so I turned off the unsophisticated SpeedTouch IDS that was hampering my remote portscanning anyway, and put said machine in a DMZ. Next task is to put the built-in wireless interface into a WAN-detached VLAN with the server, but that’s another post…

hxxp://www.beforum.co.uk/forum/default.aspx?f=5&m=5352

I think it's a good idea to list a few useful CLI commands for our lovely BeBox

here are the ones I collected so far:



#These 3 make your bebox poll a group of NTP servers to keep the time accurate

sntp add name=uk.pool.ntp.org version=3
sntp config poll=60 pollpresync=60
sntp config state=enabled


#This one corrects the grouping operator and decimal place symbol for the en_GB locale.

system locale dec_symbol=. group_symbol=,


#enable ping responder:

service system ifadd name=PING_RESPONDER group=wan


#disable telnet , HTTPs and FTP on WAN (close ports)

service system ifdelete name=TELNET group=wan
service system ifdelete name=FTP group=wan
service system ifdelete name=HTTPs group=wan


#enable SNMP (e.g. for PRTG Traffic Grapher)

service system modify name=SNMP_AGENT state=enabled
snmp community add securityname=RWCommunity communityname=public


#enable nat loopback (access external IP from inside):

ip config natloopback=enabled


#fix against TCP timeouts

firewall config tcpchecks none


#disable DHCP server on LAN side (thanks Zadkiel)

dhcp server config state=disabled


Don't forget this command at the end to permanently save your settings if everything works as expected:
(otherwise all new settings are lost after the next restart)

saveall