Security flaw in Airtel DSL modems

[shr () birmiwal net]

Hi,

I've found a few problems with the way DSL modems by a vendor Bharti and provided by Airtel (an Indian ISP) are setup. 
I've been talking
with Airtel on this over the past couple of months to try to get them to close the vulnerability. They feel that they 
have addressed the issue appropriately. Please find the details of the vulnerability below in the forwarded emails. The 
vulnerability can be verified by trying a telnet on any random Airtel IP (say 122.167.xx.xx).

Cheers,
Shishir

---------- Forwarded message ----------
From: Shishir Birmiwal <shr () birmiwal net>
Date: Tue, Sep 2, 2008 at 1:14 PM
Subject: Re: Security flaw in airtel provided DSL modems
To: care.karnataka () airtel in


Hello,

Following up on our conversations, I am sharing with you further details of this vulnerability. These problems have 
been confirmed in 220 bx series of DSL modems and are also present in a number of other modems.

1. The modems have accounts besides "admin" which have super-user [root, uid=guid=0] access. There accounts are 
"nobody", "user", "support". At the time of modem installation, Airtel staff usually
asks the subscriber to change his/her "admin" password on the modem - but people rarely do [can be verified by logging 
in using default admin password on random airtel modem IPs]. The passwords for (and even the existance of) the other 
accounts are not revealed.

2. These accounts have their passwords set to the same simple crackable [using JtR] value across _all_ modems. Worse 
yet, the passwords are available as javascript variables in clear text in the HTML UI for changing passwords. They are 
apparently there for user input validation (is the old password correct?). Using these
passwords, one can log as super-user on _any_ airtel modem provided to subscribers.

3. All airtel modems have their external login port (telnet) enabled.
A telnet to the modem, after logging in gives access to the internal (linux) system shell, from where a malicous user 
(cracker) can change
system configuration and modify/tap network traffic. Most subscribers are not technically inclined to even know what it 
means - far from
being able to turn it off.

4. The modems also provide an interface for updating their firmware.
The firmware image is readily available for download from airtel's website, and many other websites. The firmware image 
consists of a
linux kernel, root file-system, configuration and (maybe) other binary blobs. There seems to be no security/check on 
firmware image's
authority. It is easy to modify a firmware image and replace the root-filesystem with a malicious root-filesystem. 
Worse yet, the modified root file-system could effectively disable further firmware updates. A malicious firmware image 
could provide an attacker with complete access and control on the modem and the network traffic on the modems.

5. Once an attacker has access to a modem (through telnet and/or a firmware update), he/she can launch the following 
attacks and/or more:
 * use MITM attacks to capture encrypted data, including passwords, credit-card numbers and other confidential data
 * inject malicious content into the network stream which can hijack the user's system [viruses, trojans, malware, bots]
 * sniff, tap and monitor the network user and his/her actions online
 * redirect user's traffic and subject the user to SPAM, Ads, or use DNS poisoning in inventive ways
 * generate network traffic to launch DDoS attacks - effectively hijacking the user's internet connection and making 
them zombie bots
 * redirect nefarious network activities through hijacked modems to make it difficult/impossible to track the attack 
source/origin, and carry out illegal activities. In such cases, the blame might go to an innocent Airtel subscriber as 
his/her IP would apparently be the source of the illegal activity.

There is no limit to the creativity of attackers once a vulnerability is available, so these are just my guesses. There 
may be other attacks
possible. I believe, the ones I have listed are bad enough.

6. The telnet / HTTP modem configuration interface provides user identifiable content [phone number, ISP login and 
password]


I believe that the problems I have listed are serious enough to warrant some action from your side to protect your 
customers. I believe that sharing this information with you early has helped/will help you work out a strategy which 
you can use to close these problems. In the same spirit, I have given you over a month's time
since my initial notification (of 30 days) and am giving you more time till September 15 to address these problems in a 
manner that you see
fit. I had tried to contact you in Feb on the same issue, but had not received any response.

One of the causes that has given an urgency to this problem is that I have discovered people reporting this 
vulnerability in underground
networks. It is only time before they stumble on the full problem and exploit this. By sharing this information with 
you, I am enabling you
to close this issue early.

Thank you for your time.

Cheers,
Shishir



On Fri, Jul 25, 2008 at 9:32 PM, Shishir Birmiwal <shr () birmiwal net> wrote:
> ------------------------
> This advisory is being provided to you under the policy documented at
> http://www.wiretrip.net/rfp/policy.html. You are encouraged to read
> this policy; however, in the interim, you have approximately 5 days to
> respond to this initial email. This policy encourages open
> communication, and I look forward to working with you on resolving the
> problem detailed below.
> -------------------------
>
> Hello,
>
>  I have discovered a problem in the way accounts are setup in the
>  airtel issued modems (esp. in 220bx series of modems).
>  As a result of the problem, the modem can be hijacked by malicious
>  parties and the modems can be used as bots or for harvesting
>  personal/confidential information, tapping all internet usage,
>  spamming, (D)DoS, and launching MITM attacks, among other activities.
>  Essentially, the problem allows a remote network entity to log into
>  the modem and acquire root privilege. Once running as root, the entity
>  can intercept, monitor and change all internet traffic of the modem
>  user.
>
>  The security flaw deals with the way:
>  * account(s) are created
>  * default settings for remote access to the modem are set
>  * mechanism in which the passwords are protected/displayed to the user
>  * the way in which the password(s) are created/set for each modem
>
>  Due to the serious nature of the flaw, I would not like to divulge
>  more details to this broad list of people I have emailed. I will be more than
>  happy to give details if an appropriate/authorised entity emails back.
>  I would like to raise this concern and flag this to you in hopes that
>  you will be able to push out a firmware update patch to fix these
>  issues.
>
>  I intend to disclose this vulnerability online in 30 days. You have 5 days to
>  respond to this email, failing which, I will report this issue online in 5 days
>  from today.
>
> Cheers,
> Shishir