Security flaw in Airtel DSL modems
Hi,
I've found a few problems with the way DSL modems by a vendor Bharti and
provided by Airtel (an Indian ISP) are setup. I've been talking
with Airtel on this over the past couple of months to try to get them to close
the vulnerability. They feel that they have addressed the issue appropriately.
Please find the details of the vulnerability below in the forwarded emails. The
vulnerability can be verified by trying a telnet on any random Airtel IP (say
122.167.xx.xx).
Cheers,
Shishir
---------- Forwarded message ----------
From: Shishir Birmiwal <shr@xxxxxxxxxxxx>
Date: Tue, Sep 2, 2008 at 1:14 PM
Subject: Re: Security flaw in airtel provided DSL modems
To: care.karnataka@xxxxxxxxx
Hello,
Following up on our conversations, I am sharing with you further details of
this vulnerability. These problems have been confirmed in 220 bx series of DSL
modems and are also present in a number of other modems.
1. The modems have accounts besides "admin" which have super-user [root,
uid=guid=0] access. There accounts are "nobody", "user", "support". At the time
of modem installation, Airtel staff usually
asks the subscriber to change his/her "admin" password on the modem - but
people rarely do [can be verified by logging in using default admin password on
random airtel modem IPs]. The passwords for (and even the existance of) the
other accounts are not revealed.
2. These accounts have their passwords set to the same simple crackable [using
JtR] value across _all_ modems. Worse yet, the passwords are available as
javascript variables in clear text in the HTML UI for changing passwords. They
are apparently there for user input validation (is the old password correct?).
Using these
passwords, one can log as super-user on _any_ airtel modem provided to
subscribers.
3. All airtel modems have their external login port (telnet) enabled.
A telnet to the modem, after logging in gives access to the internal (linux)
system shell, from where a malicous user (cracker) can change
system configuration and modify/tap network traffic. Most subscribers are not
technically inclined to even know what it means - far from
being able to turn it off.
4. The modems also provide an interface for updating their firmware.
The firmware image is readily available for download from airtel's website, and
many other websites. The firmware image consists of a
linux kernel, root file-system, configuration and (maybe) other binary blobs.
There seems to be no security/check on firmware image's
authority. It is easy to modify a firmware image and replace the
root-filesystem with a malicious root-filesystem. Worse yet, the modified root
file-system could effectively disable further firmware updates. A malicious
firmware image could provide an attacker with complete access and control on
the modem and the network traffic on the modems.
5. Once an attacker has access to a modem (through telnet and/or a firmware
update), he/she can launch the following attacks and/or more:
* use MITM attacks to capture encrypted data, including passwords, credit-card
numbers and other confidential data
* inject malicious content into the network stream which can hijack the user's
system [viruses, trojans, malware, bots]
* sniff, tap and monitor the network user and his/her actions online
* redirect user's traffic and subject the user to SPAM, Ads, or use DNS
poisoning in inventive ways
* generate network traffic to launch DDoS attacks - effectively hijacking the
user's internet connection and making them zombie bots
* redirect nefarious network activities through hijacked modems to make it
difficult/impossible to track the attack source/origin, and carry out illegal
activities. In such cases, the blame might go to an innocent Airtel subscriber
as his/her IP would apparently be the source of the illegal activity.
There is no limit to the creativity of attackers once a vulnerability is
available, so these are just my guesses. There may be other attacks
possible. I believe, the ones I have listed are bad enough.
6. The telnet / HTTP modem configuration interface provides user identifiable
content [phone number, ISP login and password]
I believe that the problems I have listed are serious enough to warrant some
action from your side to protect your customers. I believe that sharing this
information with you early has helped/will help you work out a strategy which
you can use to close these problems. In the same spirit, I have given you over
a month's time
since my initial notification (of 30 days) and am giving you more time till
September 15 to address these problems in a manner that you see
fit. I had tried to contact you in Feb on the same issue, but had not received
any response.
One of the causes that has given an urgency to this problem is that I have
discovered people reporting this vulnerability in underground
networks. It is only time before they stumble on the full problem and exploit
this. By sharing this information with you, I am enabling you
to close this issue early.
Thank you for your time.
Cheers,
Shishir
On Fri, Jul 25, 2008 at 9:32 PM, Shishir Birmiwal <shr@xxxxxxxxxxxx> wrote:
>
> ------------------------
> This advisory is being provided to you under the policy documented at
> http://www.wiretrip.net/rfp/policy.html. You are encouraged to read
> this policy; however, in the interim, you have approximately 5 days to
> respond to this initial email. This policy encourages open
> communication, and I look forward to working with you on resolving the
> problem detailed below.
> -------------------------
>
> Hello,
>
> I have discovered a problem in the way accounts are setup in the
> airtel issued modems (esp. in 220bx series of modems).
> As a result of the problem, the modem can be hijacked by malicious
> parties and the modems can be used as bots or for harvesting
> personal/confidential information, tapping all internet usage,
> spamming, (D)DoS, and launching MITM attacks, among other activities.
> Essentially, the problem allows a remote network entity to log into
> the modem and acquire root privilege. Once running as root, the entity
> can intercept, monitor and change all internet traffic of the modem
> user.
>
> The security flaw deals with the way:
> * account(s) are created
> * default settings for remote access to the modem are set
> * mechanism in which the passwords are protected/displayed to the user
> * the way in which the password(s) are created/set for each modem
>
> Due to the serious nature of the flaw, I would not like to divulge
> more details to this broad list of people I have emailed. I will be more than
> happy to give details if an appropriate/authorised entity emails back.
> I would like to raise this concern and flag this to you in hopes that
> you will be able to push out a firmware update patch to fix these
> issues.
>
> I intend to disclose this vulnerability online in 30 days. You have 5 days to
> respond to this email, failing which, I will report this issue online in 5
> days
> from today.
>
> Cheers,
> Shishir