Security Bug in Bintec Router Firmware (CLID)

From: Pascal Gienger (pat_private)
Date: Wed Feb 10 1999 - 13:10:57 PST

Next message: Igor Plavcak: "RE: XXXX frequent check output (fwd)"

Previous message: Patrick Oonk: "Sun Security Bulletin #00185 (fwd)"
Next in thread: Pascal Gienger: "Re: Security Bug in Bintec Router Firmware (CLID)"
Reply: Pascal Gienger: "Re: Security Bug in Bintec Router Firmware (CLID)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vulnerability in Bintec Firmware BOSS V4.9 Release 1 and earlier

Abstract:
Non-interpretation of "international" or "national" incoming call setup
leads to a security problem when you accept connections based on their
incoming call number.

Bintec is a manufacturer of routers whose market share is growing steadily.
So the following information should be of general interest.
Bintec Routers are shipped with the BOSS Operating system, current release
is V4.9, Rel.3.

Bricks do support besides PPP links also raw IP encapsulation over HDLC
frames (ISDN Line).
In the latter case, WAN partner are distinguished based upon their incoming
call number (CLID), so you must "trust" your telephone company for issuing
the right information. People may set their own "outgoing" number, but only
the ones marked as "screened" by the telco are looked at.

In Germany, you have to dial an "0" to exit your local area, and "00" to
access international calls. These zeros, however, do not belong to the
real telephone number, they are not passed along with the ISDN call request.
So a call from +41 1 1234567 (0041 1 1234567) is passed as "4111234567".
A call from 0411 1234567 (national call from city zone "4111") is
also passed as "4111234567". You have to set this "4111234567" as an
incoming number in the brick setup because otherwise the Brick would
not recognize the call.
The only difference is a flag which says whether the call is an international
one or not.

BOSS does not distinguish these two, leaving this security hole open. If you
know the number of a WAN partner abroad which number has less than 9
digits, you can search the local zone in Germany and trying to get there
the appropriate number to access the router. Might be complicated, but if
you know that there is sensitive stuff to get...

A possible fix would be to always insist on a form like "49411123456789" for
the national german call (with leading international prefix).

I wrote a notice to Bintec 24h ago, but I got no response until now.
I'll tell their answer as soon as I'll get it.

I would not be surprised to hear that other router firmwares are acting in
the same way...

Pascal
--
Unix,   Pascal Gienger, Moosstr. 7 /\ 7 .rtssooM ,regneiG lacsaP    xinU
Networx 78467 Konstanz, pat_private /  \ ed.tenz@p ,znatsnoK 76487 xrowteN
& WWW       http://pascal.znet.de/    \ed.tenz.lacsap\\:ptth       WWW &
        http://echo.znet.de:8888/ echo \8888:ed.tenz.ohce\\:ptth

Next message: Igor Plavcak: "RE: XXXX frequent check output (fwd)"
Previous message: Patrick Oonk: "Sun Security Bulletin #00185 (fwd)"
Next in thread: Pascal Gienger: "Re: Security Bug in Bintec Router Firmware (CLID)"
Reply: Pascal Gienger: "Re: Security Bug in Bintec Router Firmware (CLID)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:29 PDT