Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

AW: Security Bug in Bintec Router Firmware (CLID)

From: ts () bintec de (Thomas Schmidt)
Date: Thu, 11 Feb 1999 13:19:16 +0100

Pascal Gienger wrote:


Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier

Abstract:
Non-interpretation of "international" or "national" incoming call setup
leads to a security problem when you accept connections based on their
incoming call number.

Bintec is a manufacturer of routers whose market share is growing steadily.
So the following information should be of general interest.
Bintec Routers are shipped with the BOSS Operating system, current release
is V4.9, Rel.3.

Bricks do support besides PPP links also raw IP encapsulation over HDLC
frames (ISDN Line).
In the latter case, WAN partner are distinguished based upon their incoming
call number (CLID), so you must "trust" your telephone company for issuing
the right information. People may set their own "outgoing" number, but only
the ones marked as "screened" by the telco are looked at.




There is a security mechanism available for all BinTec Routers that can be
used to verify if the "Calling Party Number" of an incoming call was modified
by the calling party.


The SETUP-message of an incoming call at an ISDN-interface contains
a parameter field called "Screening Indicator". This Screening Indicator
can not be set by the originiating user, but it is modified by the first
exchange at the call originator side. Possible values for the screening
indicator are  (refer to ITU Q.931 or ETSI 300 102-1) :
        - "user-provided - not screened"
        - "user_failed provided - verified and passed"
        - "user_failed provided - verified and failed"
        - "network provided"


From firmware revision BOSS V4.8 Release 1, the user could select

if the screening indicator is verified and specify the expected value.
This can be done for every indiviual number, and is selected by
modification of the SNMP configurationtable "dialtable".

Unfortuantely there are many smaller PABX (private branch exchange)
used by our customers, that do not pass through the value of the
screening indicator without modification, so we decided, not to verify
all numbers by default.

For users of raw IP connections, we recommend verification of the
screening indicator.

# Thomas Schmidt / Product Manager
# BinTec Communications AG
# D-90449 Nuernberg / Suedwestpark 94
# Phone : 49-911-9673-0
# Fax   : 49-911-6880725
# EMail : ts () bintec de
Previous By Date Next
Previous By Thread Next

Current thread: