Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20533
HistorySep 16, 2008 - 12:00 a.m.

Security flaw in Airtel DSL modems

2008-09-1600:00:00
vulners.com
43
JSON

Hi,

I've found a few problems with the way DSL modems by a vendor Bharti and provided by Airtel (an Indian ISP) are setup.
I've been talking
with Airtel on this over the past couple of months to try to get them to close the vulnerability. They feel that they have
addressed the issue appropriately. Please find the details of the vulnerability below in the forwarded emails. The
vulnerability can be verified by trying a telnet on any random Airtel IP (say 122.167.xx.xx).

Cheers,
Shishir

---------- Forwarded message ----------
From: Shishir Birmiwal <[email protected]>
Date: Tue, Sep 2, 2008 at 1:14 PM
Subject: Re: Security flaw in airtel provided DSL modems
To: [email protected]

Hello,

Following up on our conversations, I am sharing with you further details of this vulnerability. These problems have been
confirmed in 220 bx series of DSL modems and are also present in a number of other modems.

  1. The modems have accounts besides "admin" which have super-user [root, uid=guid=0] access. There accounts are "nobody",
    "user", "support". At the time of modem installation, Airtel staff usually
    asks the subscriber to change his/her "admin" password on the modem - but people rarely do [can be verified by logging in
    using default admin password on random airtel modem IPs]. The passwords for (and even the existance of) the other accounts
    are not revealed.

  2. These accounts have their passwords set to the same simple crackable [using JtR] value across all modems. Worse yet,
    the passwords are available as javascript variables in clear text in the HTML UI for changing passwords. They are
    apparently there for user input validation (is the old password correct?). Using these
    passwords, one can log as super-user on any airtel modem provided to subscribers.

  3. All airtel modems have their external login port (telnet) enabled.
    A telnet to the modem, after logging in gives access to the internal (linux) system shell, from where a malicous user
    (cracker) can change
    system configuration and modify/tap network traffic. Most subscribers are not technically inclined to even know what it
    means - far from
    being able to turn it off.

  4. The modems also provide an interface for updating their firmware.
    The firmware image is readily available for download from airtel's website, and many other websites. The firmware image
    consists of a
    linux kernel, root file-system, configuration and (maybe) other binary blobs. There seems to be no security/check on
    firmware image's
    authority. It is easy to modify a firmware image and replace the root-filesystem with a malicious root-filesystem. Worse
    yet, the modified root file-system could effectively disable further firmware updates. A malicious firmware image could
    provide an attacker with complete access and control on the modem and the network traffic on the modems.

  5. Once an attacker has access to a modem (through telnet and/or a firmware update), he/she can launch the following
    attacks and/or more:

  • use MITM attacks to capture encrypted data, including passwords, credit-card numbers and other confidential data
  • inject malicious content into the network stream which can hijack the user's system [viruses, trojans, malware, bots]
  • sniff, tap and monitor the network user and his/her actions online
  • redirect user's traffic and subject the user to SPAM, Ads, or use DNS poisoning in inventive ways
  • generate network traffic to launch DDoS attacks - effectively hijacking the user's internet connection and making them
    zombie bots
  • redirect nefarious network activities through hijacked modems to make it difficult/impossible to track the attack
    source/origin, and carry out illegal activities. In such cases, the blame might go to an innocent Airtel subscriber as
    his/her IP would apparently be the source of the illegal activity.

There is no limit to the creativity of attackers once a vulnerability is available, so these are just my guesses. There
may be other attacks
possible. I believe, the ones I have listed are bad enough.

  1. The telnet / HTTP modem configuration interface provides user identifiable content [phone number, ISP login and
    password]

I believe that the problems I have listed are serious enough to warrant some action from your side to protect your
customers. I believe that sharing this information with you early has helped/will help you work out a strategy which you
can use to close these problems. In the same spirit, I have given you over a month's time
since my initial notification (of 30 days) and am giving you more time till September 15 to address these problems in a
manner that you see
fit. I had tried to contact you in Feb on the same issue, but had not received any response.

One of the causes that has given an urgency to this problem is that I have discovered people reporting this vulnerability
in underground
networks. It is only time before they stumble on the full problem and exploit this. By sharing this information with you,
I am enabling you
to close this issue early.

Thank you for your time.

Cheers,
Shishir

On Fri, Jul 25, 2008 at 9:32 PM, Shishir Birmiwal <[email protected]> wrote:
>
> ------------------------
> This advisory is being provided to you under the policy documented at
> http://www.wiretrip.net/rfp/policy.html. You are encouraged to read
> this policy; however, in the interim, you have approximately 5 days to
> respond to this initial email. This policy encourages open
> communication, and I look forward to working with you on resolving the
> problem detailed below.
> -------------------------
>
> Hello,
>
> I have discovered a problem in the way accounts are setup in the
> airtel issued modems (esp. in 220bx series of modems).
> As a result of the problem, the modem can be hijacked by malicious
> parties and the modems can be used as bots or for harvesting
> personal/confidential information, tapping all internet usage,
> spamming, (D)DoS, and launching MITM attacks, among other activities.
> Essentially, the problem allows a remote network entity to log into
> the modem and acquire root privilege. Once running as root, the entity
> can intercept, monitor and change all internet traffic of the modem
> user.
>
> The security flaw deals with the way:
> * account(s) are created
> * default settings for remote access to the modem are set
> * mechanism in which the passwords are protected/displayed to the user
> * the way in which the password(s) are created/set for each modem
>
> Due to the serious nature of the flaw, I would not like to divulge
> more details to this broad list of people I have emailed. I will be more than
> happy to give details if an appropriate/authorised entity emails back.
> I would like to raise this concern and flag this to you in hopes that
> you will be able to push out a firmware update patch to fix these
> issues.
>
> I intend to disclose this vulnerability online in 30 days. You have 5 days to
> respond to this email, failing which, I will report this issue online in 5 days
> from today.
>
> Cheers,
> Shishir

JSON