COMMAND
Alcatel Speed Touch DSL modems
SYSTEMS AFFECTED
Alcatel Speed Touch DSL modems
PROBLEM
Researchers associated with the San Diego Supercomputer Center at
the University of California, San Diego have identified multiple
implementation flaws in the Alcatel Speed Touch ADSL "modem"
(actually an ADSL-Ethernet router/bridge). These flaws can allow
an intruder to take complete control of the device, including
changing its configuration, uploading new firmware, and disrupting
the communications between the telephone central office providing
ADSL service and the device.
These flaws allow the following malicious actions:
* changing the device's configuration such that the device can no
longer be accessed;
* disabling the device, either temporarily or permanently
(requiring return of the device to the manufacturer); and
* installation of malicious code, such as a network sniffer to
gather local LAN traffic (that is not being bridged) and making
the box more easily/covertly remotely accessible.
One of the more interesting discoveries was a cryptographic
challenge-response back door that completely bypasses any password
that a user may have set on the device.
All testing to date has been done in LLC/SNAP bridge mode.
Routing mode was not tested. There may be other flaws that are
easier to exploit in that mode.
This advisory addresses the Speed Touch family of devices, and
similar devices apparently based on related code such as the
older Alcatel 1000 ADSL Network Termination device (1000 ADSL).
All testing was performed on the "Speed Touch Home", and limited
testing was performed on the 1000 ADSL. It is strongly suspected
that the "Speed Touch Pro" software is at least very similar to
that in the Speed Touch Home, so it is probable that the Pro is
vulnerable to similar attacks. Other members of the family
running software derived from the same code base would also be
expected to share these vulnerabilities.
Note that Alcatel renamed their entire Speed Touch product line a
few weeks ago at CeBIT, so the Home and Pro may have new
designations. The described flaws were demonstrated in all known
firmware versions of the Speed Touch Home, including:
KHDSAA.108 Jul 6 14:03:12 GMT 1999
KHDSAA.132 Nov 19 13:52:05 GMT 1999
KHDSBA.133 Mar 16 17:52:08 GMT 2000
KHDSAA.134 Apr 24 12:48:43 GMT 2000
The Alcatel 1000 ADSL does not have a user-settable password and
therefore does not share the cryptographic back door with the
Speed Touch Home. It has the additional vulnerability that access
through its HTTP server can not be restricted, and shares the TFTP
vulnerabilities described below with the Speed Touch Home. The
version of software in the 1000 ADSL tested was KA1HAA.112 Jan 26
09:51:00 GMT 1999.
By default, the device uses the IP address 10.0.0.138, although
this can be changed via HTTP, TFTP, or command line (TELNET)
interface. The device can have multiple IP addresses at the same
time.
There are several flaws, including user authentication issues;
fully-accessible TFTP servers, and a lack of validation of
downloaded firmware.
The device has several flaws and one interesting "feature" in the
area of authentication.
Open front door - No default password
=====================================
As shipped, the device allows for configuration read/write access
with no password. This can be accomplished via TELNET or HTTP.
The file structure of the device's file systems can be examined
with FTP. The first mention of this appears to be from November
2000:
http://www.vnunet.fr/actu/article.htm?numero=6197&date=2000-11-06
In this article (in French), they suggest that you might want to
set the password before someone else does it for you.
Missing roof - password may be stolen/changed
=============================================
The password, if set, can be extracted from the device using TFTP.
Or, TFTP can be used to set or change the existing password. None
of these operations require any authentication at all. See below
on the use of TFTP.
Cryptographic back door - bypassing the password completely
===========================================================
If for some reason it is inconvenient to obtain or change the
password with TFTP, it can be directly bypassed by logging in as
the user "EXPERT", which will invoke a cryptographic
challenge-response sequence. The password will then be the
result of a cryptographic function applied to the "challenge"
string presented immediately before the request for the password.
For example, the FTP and TELNET dialogs look something like:
ftp> open 10.0.0.138
Connected to 10.0.0.138.
220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to change.
Name (10.0.0.138:root): EXPERT
331 SpeedTouch (00-90-D0-00-00-00) User EXPERT OK. Password required.
Password:
230 OK
ftp>
telnet> open 10.0.0.138
Trying 10.0.0.138...
Connected to 10.0.0.138.
Escape character is '^]'.
User : EXPERT
SpeedTouch (00-90-D0-00-00-00)
Password : ##########------------------------------------------------------------------------
*
* ______
* ___/_____/\
* / /\\ ALCATEL ADSL MODEM
* _____/__ / \\
* _/ /\_____/___ \ Version 3.2
* // / \ /\ \
* _______//_______/ \ / _\/______ Copyright 1999-2000.
* / / \ \ / / / /\
* __/ / \ \ / / / / _\__
* / / / \_______\/ / / / / /\
* /_/______/___________________/ /________/ /___/ \
* \ \ \ ___________ \ \ \ \ \ /
* \_\ \ / /\ \ \ \ \___\/
* \ \/ / \ \ \ \ /
* \_____/ / \ \ \________\/
* /__________/ \ \ /
* \ _____ \ /_____\/
* \ / /\ \ /
* /____/ \ \ /
* \ \ /___\/
* \____\/
*
- -----------------------------------------------------------------------
=>
In both examples above, the "challenge" string is
'SpeedTouch (00-90-D0-00-00-00)'
and the response (typically a ten-digit integer) in this case is
1552815226
Each device will have a unique response as it has a different
Ethernet MAC address, and the rest of the "challenge" string has
sometimes changed between firmware versions. Neither the
encryption algorithm nor its cryptovariables have been observed
to change across devices or software versions.
The biggest risk of this challenge-response scheme is that anyone
who knows the cryptographic algorithm and cryptovariables used to
validate the response has permanent access to ANY similar Alcatel
SpeedTouch device. There is NO WAY currently known to us for
anyone to disable this back door, other than by downloading custom
firmware.
It is worth noting that all of these potentially passworded TCP
services are supposedly available ONLY from the LAN side. As the
device is a MAC-layer bridge, it has no way of actually enforcing
this restriction, and in many cases these services are trivially
reachable from the WAN side due to the configuration of the
device and other devices on the LAN.
Open TFTP servers - via LAN, WAN and DSLAM
==========================================
The open TFTP server is trivially accessible from the "inside"
LAN, and access from the "outside" net may be only marginally
more difficult. It appears to be accessible to the ADSL
provider's DSLAM, or anyone with access to the copper ADSL loop,
with no additional authentication.
As shipped, the device provides an open TFTP server that can be
used to transfer files both to and from the device. This can be
used to extract the configuration from the device, or to change
the configuration of the device, as well as change, destroy or
subvert the device's firmware. For example, an attacker could
replace the device's firmware with malicious code, such as a
packet sniffer or a denial of service "zombie" such as Trin00 or
TFN2K. There is no known way for the user/owner to disable the
TFTP server. There is, of course, no authentication required for
any TFTP access.
Access via the inside LAN
=========================
Specifically, the TFTP server is available over normal UDP/IP on
the "inside" Ethernet, using any TFTP client. Using TFTP, one
can extract the password and other configuration data, as well as
a copy of the firmware.
More importantly, one can also upload new configuration
information, including a new (or no) password, as well as new
(perhaps malicious) firmware.
Access via the outside WAN (IP)
===============================
It is possible to attack from the "outside" WAN via IP protocols
by using any of the well-known methods to "bounce" UDP packets
through a host on the internal network.
This "attack" can be mounted no matter what the IP address of the
Speed Touch device, whether it is still set to a non-routed
address, such as the default 10.0.138, or whether the Speed Touch
device has been set to an address on the inside network. The
device's address does not even need to be known, as the TFTP
server in the device listens to the IP broadcast address
(255.255.255.255) IN ADDITION to any addresses configured by the
user/owner.
This behavior makes it trivial to "bounce" attacks through (for
example) the UDP ECHO port of a host computer that is attached to
the "inside" Ethernet network, without concern for what addresses
the Speed Touch device may be configured for or the concern that
it may be on a different logical subnet than the other systems on
the inside Ethernet.
In this example, one can send packets to the TFTP server from the
outside by sending TFTP UDP packets with a source address of
255.255.255.255 and a source port of TFTP to the UDP ECHO port of
any system on the internal network with a functioning UDP ECHO
server. When the "ECHO server" replies to the request, it will
interpret the (now) destination address of 255.255.255.255 as
local broadcast, and the packet will be broadcast on the Ethernet
with the destination port set to UDP TFTP.
Many networking devices (including the Speed Touch) provide a UDP
ECHO service, and in many cases (again, including the Speed Touch)
there is no way to disable the service.
It should be noted that the Speed Touch Home specifically does not
process source-routed packets by default. This decision appears
to be deliberate, as this is an easily configurable option that
the documentation explicitly recommends not be changed. This
configuration is presumably to discourage the obvious attack. The
1000 ADSL appears to not process source-routed packets at all.
However, this option provides some possibilities for the attacker.
If the attacker has only TFTP access (via a "bounce" or some other
mechanism), they could write a new configuration to the device
which would permit source-routing and default routing, and gain
full access either by also setting a new password or by using the
cryptographic back door.
Access via the outside WAN (DSLAM)
==================================
The Speed Touch device appears to have TFTP and SNMP servers
listening directly on the WAN side on AAL5-encapsulated VPI/VCIs
15/16 and 15/64. This feature presumably exists so that the ADSL
provider has full access to the device, without any form of
authentication. Therefore the ADSL providers have the ability to
upgrade the device, should Alcatel provide new firmware to address
these or other issues.
A paragraph from the _Alcatel Speed Touch Installation and User
Guide_, 3EC 16830 AAAA TCZZA Ed. 02, p.152:
17.1 Software Download from the Network
This feature is controlled by the ADSL Provider. At some
point in time he might decide to upgrade the software in your
_Speed Touch_. This download will happen almost unnoticed.
You will see a change in the software version though if you
surf to the _Speed Touch_'s Upgrade page.
These capabilities are also available to anyone with the proper
equipment and access to the copper loop, such as at the
residential TELCO DEMARC outside a home, or a street-side "ped".
Theoretically, anyone who can emulate a central office DSLAM
(ATU-C) can "clip on" to the phone line and take full control of
the device. Note that since some of the same DMT chip sets are
sold for use in both remote devices (ATU-R), such as the Speed
Touch, and in central office equipment, such as DSLAMs (ATU-C),
it is probable that constructing an improvised single-line
"portable DSLAM" is not be out of reach for a somewhat determined
attacker.
Inadequate validation of firmware
=================================
The Alcatel devices do not appear to do any sort of authenticity
or integrity checking on firmware downloaded to them. This
behavior makes it easier for an abuser to generate a firmware
file that will be accepted as a valid firmware "load". This bogus
firmware could contain malicious code, such as a network sniffer
or denial of service tool.
As a demonstration a modified version of the firmware, with
"interesting" security properties was loaded into a SpeedTouch
Home. The firmware was accepted, decompressed, and executed
without question.
It is remarkable that for every method provided for accessing the
box (HTTP,TELNET, FTP, and TFTP) it is possible to directly bypass
any access controls the owner may try to put in place.
It seems very poor form to let a user set a password that they
believe will be enforced while deliberately leaving such a back
door, especially given that there are other (well documented)
mechanisms for clearing or resetting a password should it become
lost.
A malicious firmware load could be carried as a worm or virus
payload to a host on the inside Ethernet, and could survive the
eradication of the worm or virus on the host platform.
The Speed Touch Home has an EXPERT mode (distinct from the use of
EXPERT to bypass the password mechanism) which can be used to
discover interesting information about the ADSL line operational
parameters, ATM cell statistics, etc. This mode can also be used
to set a wide variety of device and interface parameters, as well
as partitioning, formatting, and erasing the flash file system.
It can provide extremely valuable information for debugging an
ADSL connection. Entry to this mode is restricted by the same
cryptographic challenge-response mechanism that is used as a back
door to bypass the password.
If the ADSL provider has not provided the password to the device,
a tool is available to provide the password in the "Alcatel ADSL
Modem Owner's Self-Help Guide", at:
http://security.sdsc.edu/self-help/alcatel
This page has some additional information related to this
advisory, as well as some tools and hints for the Alcatel ADSL
modem owner.
Authors of this advisory are Tsutomu Shimomura and Tom Perrine.
Even the Speed Touch Pro router is affected by the same problem.
Stefano "NeURo" Chiccarelli even found that the speed touch PRO
router bundled with the NetEcomomy ADSL group/multigroup offered
by Telecom Italia, that work in CIP (Classical IP) mode (so with
a PUBLIC IP) is subject to remote attacke if firewalling off/on
configuration has been disabled on the ATM interface.
This feature can be disabled from the CLI interface, telneting
on the router with the command "ipconfig firewalling off".
At this point, the TFTP without authentication can be used by a
remote attacker straight on the TCP/IP protocol (i.e. there is no
need to be "located" on the ATU-C):
tftp -i ip GET active/system.ini
with this command, an attacker can "fetch" the password stored
inside this file (in a non encrypted form). This is an "add-on"
to the backdoor discovered by Tom Perrine e Tsutomu Shimomura.
Please remark that a lot of people may have disabled this feature
to be allowed to remote admin jobs, pinging and so on. Furhter
more, the PRO firmware called build134.134 is the same than HOME,
called KHDSAA.134.
SOLUTION
Use firewall.