Pwning The BSNL Broadband Users Sathya Prakash.K Boris-Info
Varun.V
ADSL Modem/Routers • • •
UTStarcom Huawei Nokia-Siemens
ADSL Modem/Routers • • •
UTStarcom Huawei Nokia-Siemens
UTStarcom-ut300r2u
About The Device •
Broadcom chipset BCM96338 • Usual web Interface served by a light weight httpd server. • Dhcp server and usual stuffs • Telnet , SNMP Service
Security Deployed •
Remote http access to the route over the WAN is disabled. • Router's Management & Configs are done based on privilages of authenticated users • By default the router has 3 User accounts 1.Admin 2.User 3.Support
ADMIN privileged user •
USER privileged user
Present Vulnerabilities •
Poor privilege Management • Decyphered passwords in javascripts • Telnet ADMIN Access • CSRF • Lack of Good Documentation from the ISP
Poor privilege management •
The Entire Router's user privileg management is handled by client si scripting (javascripts)
•
Threat Level: high
Source code of menu frame
menuBcm.js
menuBcm.js
Accessing ADMIN menus
Decyphered passwds •
Decyphered passwords are use by javascripts for comparing with the user entered password while changing the password •
Threat Level: High
password.html
ADMIN access @ TELNET As privilege management is done completely using javascripts, there is nothing for a javascript to do in a telnet session; • So obviously ADMIN access is given indiscriminate of privileges •
•
Threat Level: Medium
Telneting as ADMIN
Telneting as USER
CSRF •
Cross Site Request Forgery, It is an attack in which victim's browser requsets are hijacked by the attacker Ex •
http://kingpin:
[email protected]/post.php? value=admin's_of_this_forum_are_idiot&action=post
Lack of Good Documentation
Lack of Good Documentation
Lack of Good Documentation •
We are in a Digital era of breakin DES & RSA's, In this Digital era, is this a security documentation. • Seriously Security(IT) in India have to go miles ahead...
ExpL0ItinG the ut300r2u •
Malware Way: The exploit can be used as a payload for virus. It Telnets into the router & changes the configurations.
ExpL0ItinG the ut300r2u •
•
Web way: Utilizing CSRF to login into the victim's router & change the configurations The entire process can be hidde with iframes
Possible Attacks •
DoS • Remote Sniffing • Phishing • And many depending upon the attackers creativity
DoS •
This could be accomplished in many ways • Specifying unreachable routes fo the router • Killing the PpoE session in a loop using a malware • etc
Sniffing •
Specify a static route for the victim's router, which passes thro the attackers network
•
Firing Wireshark , SSL Strip.
Phishing/Pharming •
Spoofing the DNS servers on the victim's router to with the attackers
Web Xploit
Malware way
DNS
Solutions Temp: Change the default password for ADMIN and USER group of
users.As the default User:User combination makes the attacker to intrude into the router
Permenent:
Get ridden of those nasty javascripts,implement the access control using serverside scripts storing cookies,As access control using clientside scripting is completly ridiculous,as the client side could do anything.
Solutions Last but not the least “Don’t give Dumb Instructions for the HOME USER’S on configuring the device”
Thankyou