Bugtraq mailing list archives
AW: Security Bug in Bintec Router Firmware (CLID)
From: ts () bintec de (Thomas Schmidt)
Date: Thu, 11 Feb 1999 13:19:16 +0100
Pascal Gienger wrote:
Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier Abstract: Non-interpretation of "international" or "national" incoming call setup leads to a security problem when you accept connections based on their incoming call number. Bintec is a manufacturer of routers whose market share is growing steadily. So the following information should be of general interest. Bintec Routers are shipped with the BOSS Operating system, current release is V4.9, Rel.3. Bricks do support besides PPP links also raw IP encapsulation over HDLC frames (ISDN Line). In the latter case, WAN partner are distinguished based upon their incoming call number (CLID), so you must "trust" your telephone company for issuing the right information. People may set their own "outgoing" number, but only the ones marked as "screened" by the telco are looked at.
There is a security mechanism available for all BinTec Routers that can be used to verify if the "Calling Party Number" of an incoming call was modified by the calling party. The SETUP-message of an incoming call at an ISDN-interface contains a parameter field called "Screening Indicator". This Screening Indicator can not be set by the originiating user, but it is modified by the first exchange at the call originator side. Possible values for the screening indicator are (refer to ITU Q.931 or ETSI 300 102-1) : - "user-provided - not screened" - "user_failed provided - verified and passed" - "user_failed provided - verified and failed" - "network provided"
From firmware revision BOSS V4.8 Release 1, the user could select
if the screening indicator is verified and specify the expected value. This can be done for every indiviual number, and is selected by modification of the SNMP configurationtable "dialtable". Unfortuantely there are many smaller PABX (private branch exchange) used by our customers, that do not pass through the value of the screening indicator without modification, so we decided, not to verify all numbers by default. For users of raw IP connections, we recommend verification of the screening indicator. # Thomas Schmidt / Product Manager # BinTec Communications AG # D-90449 Nuernberg / Suedwestpark 94 # Phone : 49-911-9673-0 # Fax : 49-911-6880725 # EMail : ts () bintec de
Current thread:
- sl0scan (ambiguous source portscanner), (continued)
- sl0scan (ambiguous source portscanner) miff (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Ryan Russell (Feb 08)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive der Mouse (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Joel Eriksson (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Randy Taylor (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Joel Eriksson (Feb 12)
- More Comments: Security Scanners. Craig H. Rowland (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Darren Reed (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Adam Shostack (Feb 10)
- remote fakebo shell exploit Groovy Pants Gus (Feb 11)
- AW: Security Bug in Bintec Router Firmware (CLID) Thomas Schmidt (Feb 11)
- Re: Security Bug in Bintec Router Firmware (CLID) Pascal Gienger (Feb 11)
- Seeking Policy Data Loftin C. Woodiel (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive David LeBlanc (Feb 09)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive der Mouse (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Ulf Munkedal (Feb 10)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Brian Koref (Feb 11)
- Buffer overflow in Serve-U Ryan Sweat (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Phil Waterbury (Feb 11)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Francis Favorini (Feb 12)
- Re: ISS Internet Scanner Cannot be relied upon for conclusive Steven M. Christey (Feb 12)