Security flaw in Airtel DSL modems

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Security flaw in Airtel DSL modems
From: shr@xxxxxxxxxxxx
Date: 16 Sep 2008 08:49:52 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Hi,

I've found a few problems with the way DSL modems by a vendor Bharti and 
provided by Airtel (an Indian ISP) are setup. I've been talking
with Airtel on this over the past couple of months to try to get them to close 
the vulnerability. They feel that they have addressed the issue appropriately. 
Please find the details of the vulnerability below in the forwarded emails. The 
vulnerability can be verified by trying a telnet on any random Airtel IP (say 
122.167.xx.xx).

Cheers,
Shishir

---------- Forwarded message ----------
From: Shishir Birmiwal <shr@xxxxxxxxxxxx>
Date: Tue, Sep 2, 2008 at 1:14 PM
Subject: Re: Security flaw in airtel provided DSL modems
To: care.karnataka@xxxxxxxxx


Hello,

Following up on our conversations, I am sharing with you further details of 
this vulnerability. These problems have been confirmed in 220 bx series of DSL 
modems and are also present in a number of other modems.

1. The modems have accounts besides "admin" which have super-user [root, 
uid=guid=0] access. There accounts are "nobody", "user", "support". At the time 
of modem installation, Airtel staff usually
asks the subscriber to change his/her "admin" password on the modem - but 
people rarely do [can be verified by logging in using default admin password on 
random airtel modem IPs]. The passwords for (and even the existance of) the 
other accounts are not revealed.

2. These accounts have their passwords set to the same simple crackable [using 
JtR] value across _all_ modems. Worse yet, the passwords are available as 
javascript variables in clear text in the HTML UI for changing passwords. They 
are apparently there for user input validation (is the old password correct?). 
Using these
passwords, one can log as super-user on _any_ airtel modem provided to 
subscribers.

3. All airtel modems have their external login port (telnet) enabled.
A telnet to the modem, after logging in gives access to the internal (linux) 
system shell, from where a malicous user (cracker) can change
system configuration and modify/tap network traffic. Most subscribers are not 
technically inclined to even know what it means - far from
being able to turn it off.

4. The modems also provide an interface for updating their firmware.
The firmware image is readily available for download from airtel's website, and 
many other websites. The firmware image consists of a
linux kernel, root file-system, configuration and (maybe) other binary blobs. 
There seems to be no security/check on firmware image's
authority. It is easy to modify a firmware image and replace the 
root-filesystem with a malicious root-filesystem. Worse yet, the modified root 
file-system could effectively disable further firmware updates. A malicious 
firmware image could provide an attacker with complete access and control on 
the modem and the network traffic on the modems.

5. Once an attacker has access to a modem (through telnet and/or a firmware 
update), he/she can launch the following attacks and/or more:
 * use MITM attacks to capture encrypted data, including passwords, credit-card 
numbers and other confidential data
 * inject malicious content into the network stream which can hijack the user's 
system [viruses, trojans, malware, bots]
 * sniff, tap and monitor the network user and his/her actions online
 * redirect user's traffic and subject the user to SPAM, Ads, or use DNS 
poisoning in inventive ways
 * generate network traffic to launch DDoS attacks - effectively hijacking the 
user's internet connection and making them zombie bots
 * redirect nefarious network activities through hijacked modems to make it 
difficult/impossible to track the attack source/origin, and carry out illegal 
activities. In such cases, the blame might go to an innocent Airtel subscriber 
as his/her IP would apparently be the source of the illegal activity.

There is no limit to the creativity of attackers once a vulnerability is 
available, so these are just my guesses. There may be other attacks
possible. I believe, the ones I have listed are bad enough.

6. The telnet / HTTP modem configuration interface provides user identifiable 
content [phone number, ISP login and password]


I believe that the problems I have listed are serious enough to warrant some 
action from your side to protect your customers. I believe that sharing this 
information with you early has helped/will help you work out a strategy which 
you can use to close these problems. In the same spirit, I have given you over 
a month's time
since my initial notification (of 30 days) and am giving you more time till 
September 15 to address these problems in a manner that you see
fit. I had tried to contact you in Feb on the same issue, but had not received 
any response.

One of the causes that has given an urgency to this problem is that I have 
discovered people reporting this vulnerability in underground
networks. It is only time before they stumble on the full problem and exploit 
this. By sharing this information with you, I am enabling you
to close this issue early.

Thank you for your time.

Cheers,
Shishir



On Fri, Jul 25, 2008 at 9:32 PM, Shishir Birmiwal <shr@xxxxxxxxxxxx> wrote:
>
> ------------------------
> This advisory is being provided to you under the policy documented at
> http://www.wiretrip.net/rfp/policy.html. You are encouraged to read
> this policy; however, in the interim, you have approximately 5 days to
> respond to this initial email. This policy encourages open
> communication, and I look forward to working with you on resolving the
> problem detailed below.
> -------------------------
>
> Hello,
>
>  I have discovered a problem in the way accounts are setup in the
>  airtel issued modems (esp. in 220bx series of modems).
>  As a result of the problem, the modem can be hijacked by malicious
>  parties and the modems can be used as bots or for harvesting
>  personal/confidential information, tapping all internet usage,
>  spamming, (D)DoS, and launching MITM attacks, among other activities.
>  Essentially, the problem allows a remote network entity to log into
>  the modem and acquire root privilege. Once running as root, the entity
>  can intercept, monitor and change all internet traffic of the modem
>  user.
>
>  The security flaw deals with the way:
>  * account(s) are created
>  * default settings for remote access to the modem are set
>  * mechanism in which the passwords are protected/displayed to the user
>  * the way in which the password(s) are created/set for each modem
>
>  Due to the serious nature of the flaw, I would not like to divulge
>  more details to this broad list of people I have emailed. I will be more than
>  happy to give details if an appropriate/authorised entity emails back.
>  I would like to raise this concern and flag this to you in hopes that
>  you will be able to push out a firmware update patch to fix these
>  issues.
>
>  I intend to disclose this vulnerability online in 30 days. You have 5 days to
>  respond to this email, failing which, I will report this issue online in 5 
> days
>  from today.
>
> Cheers,
> Shishir
Prev by Date: [ MDVSA-2008:196 ] mplayer
Next by Date: [ MDVSA-2008:182-1 ] wordnet
Previous by thread: [ MDVSA-2008:196 ] mplayer
Next by thread: [ MDVSA-2008:182-1 ] wordnet
Index(es):
- Date
- Thread